Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip

Overview

General Information

Sample name:MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip
Analysis ID:1583318
MD5:040e4e96b3c71169e5706b579862bb8c
SHA1:f9da50db010b8704a5246d42d2cd1e898a244b3f
SHA256:03691405dc49eed57372ef1877d246c3464453aa26ed49966cae495bb5fb95dd
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Adds / modifies Windows certificates
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Powershell Defender Exclusion
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 6508 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • FreeFileSync_13.9_Windows_Setup.exe (PID: 7064 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" MD5: 954CEE0E02BAC777F4DB7A05EE8BDA65)
    • FreeFileSync_13.9_Windows_Setup.tmp (PID: 7112 cmdline: "C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$402CA,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" MD5: AFC70B74FF6456A1DB47AA6A5480A389)
      • FreeFileSync_13.9_Windows_Setup.exe (PID: 7124 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$40290 /NOTIFYWND=$402CA MD5: 954CEE0E02BAC777F4DB7A05EE8BDA65)
        • FreeFileSync_13.9_Windows_Setup.tmp (PID: 6220 cmdline: "C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$A0190,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$40290 /NOTIFYWND=$402CA MD5: AFC70B74FF6456A1DB47AA6A5480A389)
          • FreeFileSync.exe (PID: 6188 cmdline: "C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exe" ffs_setup_convert_jpg_to_bmp "C:\Users\user\AppData\Local\Temp\is-11B86.tmp\img_50.jpg" MD5: DD8779C4A9D2F47F3C9279F6F7786E69)
          • powershell.exe (PID: 3880 cmdline: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • WmiPrvSE.exe (PID: 4064 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
          • FreeFileSync.exe (PID: 1536 cmdline: "C:\Program Files\FreeFileSync\FreeFileSync.exe" ffs_setup_finalize MD5: DD8779C4A9D2F47F3C9279F6F7786E69)
            • FreeFileSync_x64.exe (PID: 5640 cmdline: "C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe" ffs_setup_finalize MD5: 9C31F370631A40917DF397F40C0772DB)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", CommandLine: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", CommandLine|base64offset|contains: )f, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$A0190,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$40290 /NOTIFYWND=$402CA , ParentImage: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp, ParentProcessId: 6220, ParentProcessName: FreeFileSync_13.9_Windows_Setup.tmp, ProcessCommandLine: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", ProcessId: 3880, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", CommandLine: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", CommandLine|base64offset|contains: )f, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$A0190,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$40290 /NOTIFYWND=$402CA , ParentImage: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp, ParentProcessId: 6220, ParentProcessName: FreeFileSync_13.9_Windows_Setup.tmp, ProcessCommandLine: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", ProcessId: 3880, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", CommandLine: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", CommandLine|base64offset|contains: )f, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$A0190,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$40290 /NOTIFYWND=$402CA , ParentImage: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp, ParentProcessId: 6220, ParentProcessName: FreeFileSync_13.9_Windows_Setup.tmp, ProcessCommandLine: "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'", ProcessId: 3880, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-02T13:29:46.203409+010020283713Unknown Traffic192.168.2.1649708104.21.2.160443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_e21c92ba-c
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSyncJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\UninstallJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Uninstall\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Uninstall\is-2E3MA.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-T50S2.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-AE0J0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-VDC8T.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-9HG6N.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-02RD3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\ResourcesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-12H34.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-FBQ0I.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-57T01.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-1D3QI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-185HH.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-LEJVI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-OE1DV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-EN6V8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-2IM3U.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-1MB2K.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-CRA09.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-GTR9S.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-2OB44.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\BinJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-MK0QG.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-DDMAO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-E2MT7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-4SAVQ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Uninstall\unins000.msgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\Animal.datJump to behavior
Source: unknownHTTPS traffic detected: 104.21.2.160:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\FreeFileSync_Win32.pdb{ source: is-MK0QG.tmp.9.dr
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\FreeFileSync.pdbB source: FreeFileSync.exe, 0000000A.00000000.1254697330.0000000000A16000.00000002.00000001.01000000.0000000A.sdmp, FreeFileSync.exe, 00000012.00000000.1371545424.0000000000132000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -arch:IA32 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: is-MK0QG.tmp.9.dr
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\FreeFileSync_x64.pdb source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\v3_purp.csetup_dpossl_x509v3_cache_extensionsALLRANDCIPHERSDIGESTSPKEYPKEY_CRYPTOPKEY_ASN1ENGINE_set_default_string..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\engine\eng_fat.cstr=%s..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x509_cmp.cossl_x509_add_cert_newX509_add_certX509_add_certs-fipsX509_check_private_keyossl_x509_check_private_key0123456789ABCDEFcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -arch:IA32 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.4.0 22 Oct 20243.4.0built on: Thu Oct 24 07:45:30 2024 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Data\Projects\OpenSSL\Build\msvc_v143_win32_release\lib\engines-3"MODULESDIR: "C:\Data\Projects\OpenSSL\Build\msvc_v143_win32_release\lib\ossl-modules"CPUINFO: N/AOSSL_WINCTX: Undefinednot available..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x_all.cSHA512SHAKE256SHA256X509_CRL_digest..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\pem\pem_info.cPEM_X509_INFO_read_bio_exX509 CERTIFICATETRUSTED CERTIFICATE source: is-MK0QG.tmp.9.dr
Source: Binary string: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\engine\tb_rand.c..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x509_obj.cNO X509_NAMEX509_NAME_onelinecompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -arch:IA32 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";os-specific..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\asn1\a_d2i_fp.casn1_d2i_read_biotimed out source: is-MK0QG.tmp.9.dr
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\RealTimeSync_x64.pdb source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1455101516.0000000005170000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\FreeFileSync_Win32.pdb source: is-MK0QG.tmp.9.dr
Source: Binary string: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\engine\tb_rand.c..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x509_obj.cNO X509_NAMEX509_NAME_onelinecompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";os-specificCPUINFO: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\asn1\a_d2i_fp.casn1_d2i_read_biotimed out source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\FreeFileSync.pdb source: FreeFileSync.exe, 0000000A.00000000.1254697330.0000000000A16000.00000002.00000001.01000000.0000000A.sdmp, FreeFileSync.exe, 00000012.00000000.1371545424.0000000000132000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\v3_purp.csetup_dpossl_x509v3_cache_extensionsALLRANDCIPHERSDIGESTSPKEYPKEY_CRYPTOPKEY_ASN1ENGINE_set_default_string..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\engine\eng_fat.cstr=%s..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x509_cmp.cossl_x509_add_cert_newX509_add_certX509_add_certs-fipsX509_check_private_keyossl_x509_check_private_key0123456789ABCDEFcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.4.0 22 Oct 20243.4.0built on: Thu Oct 24 07:45:18 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Data\Projects\OpenSSL\Build\msvc_v143_x64_release\lib\engines-3"MODULESDIR: "C:\Data\Projects\OpenSSL\Build\msvc_v143_x64_release\lib\ossl-modules"CPUINFO: N/AOSSL_WINCTX: Undefinednot available..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x_all.cSHA512SHAKE256SHA256X509_CRL_digest..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\pem\pem_info.cPEM_X509_INFO_read_bio_exX509 CERTIFICATETRUSTED CERTIFICATE source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49708 -> 104.21.2.160:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: api.freefilesync.org
Source: unknownHTTP traffic detected: POST /new_installation HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*User-Agent: FFS-InstallerContent-Length: 180Host: api.freefilesync.org
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: http://127.0.0.1:
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://127.0.0.1:GETacceptHTTP/1.0
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1470172733.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1259262367.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000002.1477127157.0000000005B90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fsf.org/
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: FreeFileSync_x64.exe, 00000013.00000002.1418537293.000002673A35D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-c
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: http://subca.ocsp-certum.com01
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: http://subca.ocsp-certum.com02
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: http://subca.ocsp-certum.com05
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: http://www.certum.pl/CPS0
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1232791829.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000003.1237693845.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000007.00000003.1478458861.0000000002B63000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1468326350.0000000003992000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.dk-soft.org/
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: http://www.wxwidgets.org
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1486152239.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000007.00000003.1478458861.0000000002C66000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://FreeFileSync.org
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1486152239.0000000002D5C000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000007.00000003.1478458861.0000000002C7C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://FreeFileSync.org/manual.php)
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000003.1481735992.000000000274C000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1470172733.00000000028A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://FreeFileSync.org/manual.php1
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1232791829.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000003.1237693845.00000000035D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://FreeFileSync.orgFhttps://FreeFileSync.org/manual.php
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://accounts.google.com/o/oauth2/v2/auth?
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/v2/auth?login_hintMESSAGE_PLACEHOLDERYou
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1465474308.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1472129478.0000000000C5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.freefilesync.org/K
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://api.freefilesync.org/activate_installationkeystd::timecompile
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://api.freefilesync.org/activate_installationvenosdusrmodzadf%231d34kjjfInstall.datosffsRequire
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://api.freefilesync.org/auto_updater&Home
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://api.freefilesync.org/email_notifylog_warning_totallog_error_totalffs_versiontxCannot
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://api.freefilesync.org/email_notifystatusokServer
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://api.freefilesync.org/latest_changes?
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://api.freefilesync.org/latest_changes?https://freefilesync.org/faq.php#donation-editionInvalid
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://api.freefilesync.org/latest_version&Auto-updateCheck
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://api.freefilesync.org/latest_versionUnexpected
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1232791829.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000003.1237693845.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000007.00000003.1478458861.0000000002C0B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1465474308.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000002.1476190448.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1472129478.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1465474308.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1470172733.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1454606163.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, unins000.dat.9.drString found in binary or memory: https://api.freefilesync.org/new_installation
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1454826977.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1472129478.0000000000C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.freefilesync.org:443/new_installation
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://curl.se/docs/hsts.html
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://drive.google.com/drive/folders/%x
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://drive.google.com/drive/folders/Item
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/activate-installation.php?
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/activate-installation.php?%x
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/activate-installation.php?Failed
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/business.php?
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/business.php?Invalid
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1232791829.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000003.1237693845.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000007.00000003.1478458861.0000000002C0B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1466761230.0000000003746000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1470172733.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1468326350.0000000003975000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.9.drString found in binary or memory: https://freefilesync.org/donate
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/donateShare
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/donateSupport
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1232791829.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000003.1237693845.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000007.00000003.1478458861.0000000002C0B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1466761230.0000000003746000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1309008097.0000000000C02000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1470172733.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1338955922.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000002.1475877172.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1466256543.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1259262367.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000002.1477127157.0000000005B90000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1472744428.0000000000C01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freefilesync.org/faq.php#business
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1232791829.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000003.1237693845.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000007.00000003.1478458861.0000000002C0B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1466761230.0000000003746000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1309008097.0000000000C02000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1470172733.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1338955922.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000002.1475877172.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1466256543.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1259262367.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000002.1477127157.0000000005B90000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1472744428.0000000000C01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freefilesync.org/faq.php#donation-edition
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/faq.php#donation-editionFFS_DOWNLOAD_PATHFailed
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/forum1.Activate
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/forumMany
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/get_latest.phpFreeZZLocalMachinePortableffs_variantinstallation_typeDonatio
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/get_latest.phpos_version64ffs_variantos_namedip_scaleffs_lang32os_archDonat
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/images/FreeFileSync.png
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/images/log/
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/images/log/Items
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/images/log/clock.png
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/images/log/email_short_txtemail_short_htmlsync_resultprocessed_itemsprocess
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/images/log/file.png
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/images/log/log.png
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/images/log/msg-error.png
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/images/log/msg-warning.png
Source: is-AE0J0.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=command-line)
Source: is-AE0J0.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=comparison-settings)
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=comparison-settingsHandle
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=comparison-settingsMore
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=daylight-saving-time1
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=daylight-saving-timeHandle
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=exclude-filesInclude:Local
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=exclude-filesShow
Source: is-AE0J0.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=expert-settings)
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=expert-settingsA
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1455101516.0000000005170000.00000004.00001000.00020000.00000000.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=expert-settingsAvmSnd.dllFailed
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=expert-settingsThe
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1455101516.0000000005170000.00000004.00001000.00020000.00000000.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=expert-settingsfreefilesync.org
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=external-applications%item_name%File
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=external-applicationsParent
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=freefilesync
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=freefilesyncwxFileDialogBase::GetPathC:
Source: is-AE0J0.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=ftp-setup)
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=ftp-setupAccess
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=ftp-setupPrompt
Source: is-AE0J0.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=macros)
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=performanceHow
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=performanceParallel
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1455101516.0000000005170000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=realtimesync&View
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=schedule-a-batch-job&CancelThe
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=schedule-a-batch-job&Show
Source: is-AE0J0.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=schedule-batch-jobs)
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=synchronization-settingsDetect
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=synchronization-settingsLimit
Source: is-AE0J0.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=variable-drive-letters)
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/manual.php?topic=versioningMove
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/manual.php?topic=versioningNaming
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/thank-you.php?
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://freefilesync.org/thank-you.php?Invalid
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://freefilesync.org/thank-you.php?https://freefilesync.org/business.php?Registered.datInstall.d
Source: is-AE0J0.tmp.9.drString found in binary or memory: https://freefilesync.org/tutorials.php)
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://github.com/keymanapp/keyman/issues/1723Failed
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://github.com/keymanapp/keyman/issues/1723The
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1455101516.0000000005170000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/keymanapp/keyman/issues/1723keyman64.dllFailed
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: is-AE0J0.tmp.9.drString found in binary or memory: https://winmerge.org/)
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1470172733.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1465301481.0000000005BC1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1259262367.0000000000BFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: https://www.certum.pl/CPS0
Source: is-AE0J0.tmp.9.drString found in binary or memory: https://www.codeproject.com/Articles/1144/Beating-the-Daylight-Savings-Time-bug-and-getting)
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://www.google.com/Moved
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.google.com/Multiple
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://www.googleapis.com/
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.googleapis.com//upload/drive/v3/files?googleapis.comInvalid
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://www.googleapis.com//upload/drive/v3/files?uploadTyperesumablePlease
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drString found in binary or memory: https://www.googleapis.com/auth/drive
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.googleapis.com/auth/driveresponse_typecode_challengescopeUnexpected
Source: is-MK0QG.tmp.9.drString found in binary or memory: https://www.googleapis.com/auth/driveresponse_typelistenhttp://127.0.0.1:code_challenge_methodplainc
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1234543664.000000007F0BB000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1234132185.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000000.1236073723.0000000000661000.00000020.00000001.01000000.00000007.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000000.1247153771.000000000029D000.00000020.00000001.01000000.00000009.sdmp, is-2E3MA.tmp.9.drString found in binary or memory: https://www.innosetup.com/
Source: FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1234543664.000000007F0BB000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1234132185.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000000.1236073723.0000000000661000.00000020.00000001.01000000.00000007.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000000.1247153771.000000000029D000.00000020.00000001.01000000.00000009.sdmp, is-2E3MA.tmp.9.drString found in binary or memory: https://www.remobjects.com/ps
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownHTTPS traffic detected: 104.21.2.160:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: FreeFileSync_13.9_Windows_Setup.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: FreeFileSync_13.9_Windows_Setup.tmp.7.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-2E3MA.tmp.9.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-2E3MA.tmp.9.drStatic PE information: Number of sections : 11 > 10
Source: FreeFileSync_13.9_Windows_Setup.tmp.3.drStatic PE information: Number of sections : 11 > 10
Source: FreeFileSync_13.9_Windows_Setup.tmp.7.drStatic PE information: Number of sections : 11 > 10
Source: is-MK0QG.tmp.9.drBinary string: \\?\GLOBALROOT\Device\
Source: is-MK0QG.tmp.9.drBinary string: \Device\
Source: is-MK0QG.tmp.9.drBinary string: \\?\UNC\\\?\\\\\?\UNC\\\?\GLOBALROOT\Device\CompareStringOrdinal?:\[] Error comparing strings:Unexpected return value: \\?\GLOBALROOT\Device\C:\Data\Projects\zen\file_path.cpp\??\\\?\Volume{\SystemRoot\\??\UNC\\Device\SystemRootFindFirstFileExFindNextFileCannot open directory %x.Folder contains an item without name.: ERROR_INTERNET_TIMEOUTERROR_INTERNET_OUT_OF_HANDLESERROR_INTERNET_INTERNAL_ERRORERROR_INTERNET_EXTENDED_ERRORERROR_INTERNET_UNRECOGNIZED_SCHEMEERROR_INTERNET_INVALID_URLERROR_INTERNET_PROTOCOL_NOT_FOUNDERROR_INTERNET_NAME_NOT_RESOLVEDERROR_INTERNET_BAD_OPTION_LENGTHERROR_INTERNET_INVALID_OPTIONERROR_INTERNET_SHUTDOWNERROR_INTERNET_OPTION_NOT_SETTABLEERROR_INTERNET_INCORRECT_PASSWORDERROR_INTERNET_INCORRECT_USER_NAMEERROR_INTERNET_INVALID_OPERATIONERROR_INTERNET_LOGIN_FAILUREERROR_INTERNET_INCORRECT_HANDLE_TYPEERROR_INTERNET_OPERATION_CANCELLEDERROR_INTERNET_NOT_PROXY_REQUESTERROR_INTERNET_INCORRECT_HANDLE_STATEERROR_INTERNET_BAD_REGISTRY_PARAMETERERROR_INTERNET_REGISTRY_VALUE_NOT_FOUNDERROR_INTERNET_NO_CONTEXTERROR_INTERNET_NO_DIRECT_ACCESSERROR_INTERNET_REQUEST_PENDINGERROR_INTERNET_NO_CALLBACKERROR_INTERNET_ITEM_NOT_FOUNDERROR_INTERNET_INCORRECT_FORMATERROR_INTERNET_CONNECTION_ABORTEDERROR_INTERNET_CANNOT_CONNECTERROR_INTERNET_FORCE_RETRYERROR_INTERNET_CONNECTION_RESETERROR_INTERNET_NEED_UIERROR_INTERNET_INVALID_PROXY_REQUESTERROR_INTERNET_SEC_CERT_DATE_INVALIDERROR_INTERNET_HANDLE_EXISTSERROR_INTERNET_HTTP_TO_HTTPS_ON_REDIRERROR_INTERNET_SEC_CERT_CN_INVALIDERROR_INTERNET_MIXED_SECURITYERROR_INTERNET_HTTPS_TO_HTTP_ON_REDIRERROR_INTERNET_POST_IS_NON_SECUREERROR_INTERNET_CHG_POST_IS_NON_SECUREERROR_INTERNET_INVALID_CAERROR_INTERNET_CLIENT_AUTH_CERT_NEEDEDERROR_INTERNET_ASYNC_THREAD_FAILEDERROR_INTERNET_CLIENT_AUTH_NOT_SETUPERROR_INTERNET_DIALOG_PENDINGERROR_INTERNET_REDIRECT_SCHEME_CHANGEERROR_INTERNET_HTTPS_HTTP_SUBMIT_REDIRERROR_INTERNET_RETRY_DIALOGERROR_INTERNET_FORTEZZA_LOGIN_NEEDEDERROR_INTERNET_INSERT_CDROMERROR_INTERNET_SEC_CERT_NO_REVERROR_INTERNET_SEC_CERT_ERRORSERROR_INTERNET_SEC_CERT_WEAK_SIGNATUREERROR_INTERNET_SEC_CERT_REV_FAILEDERROR_INTERNET_UNABLE_TO_CACHE_FILEERROR_INTERNET_SECURITY_CHANNEL_ERRORERROR_INTERNET_DISCONNECTEDERROR_INTERNET_TCPIP_NOT_INSTALLEDERROR_INTERNET_PROXY_SERVER_UNREACHABLEERROR_INTERNET_SERVER_UNREACHABLEERROR_INTERNET_UNABLE_TO_DOWNLOAD_SCRIPTERROR_INTERNET_BAD_AUTO_PROXY_SCRIPTERROR_INTERNET_SEC_CERT_REVOKEDERROR_INTERNET_SEC_INVALID_CERTERROR_INTERNET_NOT_INITIALIZEDERROR_INTERNET_FAILED_DUETOSECURITYCHECKERROR_INTERNET_LOGIN_FAILURE_DISPLAY_ENTITY_BODYERROR_INTERNET_NEED_MSN_SSPI_PKGERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED_PROXYERROR_INTERNET_DECODING_FAILEDERROR_INTERNET_HTTP_PROTOCOL_MISMATCHERROR_INTERNET_SECURE_FAILURE_PROXYERROR_INTERNET_FEATURE_DISABLEDERROR_INTERNET_GLOBAL_CALLBACK_FAILEDERROR_HTTP_HEADER_NOT_FOUNDERROR_HTTP_HSTS_REDIRECT_REQUIREDERROR_HTTP_INVALID_SERVER_RESPONSEERROR_HTTP_DOWNLEVEL_SERVERERROR_HTTP_INVALID_QUERY_REQUESTERROR_HTTP_INVALID_HEADERERROR_HTTP_REDIRECT_FAI
Source: classification engineClassification label: mal52.evad.winZIP@17/68@1/1
Source: is-AE0J0.tmp.9.drInitial sample: https://devblogs.microsoft.com/oldnewthing/?p=6563
Source: is-AE0J0.tmp.9.drInitial sample: https://freefilesync.org/manual.php?topic=schedule-batch-jobs
Source: is-AE0J0.tmp.9.drInitial sample: https://freefilesync.org/manual.php?topic=macros
Source: is-AE0J0.tmp.9.drInitial sample: https://freefilesync.org/manual.php?topic=command-line
Source: is-AE0J0.tmp.9.drInitial sample: https://freefilesync.org/manual.php?topic=expert-settings
Source: is-AE0J0.tmp.9.drInitial sample: https://winmerge.org/
Source: is-AE0J0.tmp.9.drInitial sample: https://freefilesync.org/manual.php?topic=ftp-setup
Source: is-AE0J0.tmp.9.drInitial sample: https://freefilesync.org/tutorials.php
Source: is-AE0J0.tmp.9.drInitial sample: https://www.codeproject.com/Articles/1144/Beating-the-Daylight-Savings-Time-bug-and-getting
Source: is-AE0J0.tmp.9.drInitial sample: https://www.codeproject.com/articles/1144/beating-the-daylight-savings-time-bug-and-getting
Source: is-AE0J0.tmp.9.drInitial sample: https://freefilesync.org/manual.php?topic=variable-drive-letters
Source: is-AE0J0.tmp.9.drInitial sample: https://freefilesync.org/manual.php?topic=comparison-settings
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSyncJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Users\Public\Desktop\FreeFileSync.lnkJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeFile created: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: FreeFileSync_13.9_Windows_Setup.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeFile read: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$402CA,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$40290 /NOTIFYWND=$402CA
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$A0190,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$40290 /NOTIFYWND=$402CA
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exe "C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exe" ffs_setup_convert_jpg_to_bmp "C:\Users\user\AppData\Local\Temp\is-11B86.tmp\img_50.jpg"
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Program Files\FreeFileSync\FreeFileSync.exe "C:\Program Files\FreeFileSync\FreeFileSync.exe" ffs_setup_finalize
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeProcess created: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe "C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe" ffs_setup_finalize
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$402CA,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$A0190,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$40290 /NOTIFYWND=$402CA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exe "C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exe" ffs_setup_convert_jpg_to_bmp "C:\Users\user\AppData\Local\Temp\is-11B86.tmp\img_50.jpg"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess created: C:\Program Files\FreeFileSync\FreeFileSync.exe "C:\Program Files\FreeFileSync\FreeFileSync.exe" ffs_setup_finalizeJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeProcess created: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe "C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe" ffs_setup_finalizeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: msftedit.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: windows.globalization.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: globinputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: winhttpcom.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: mpr.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: FreeFileSync.lnk.9.drLNK file: ..\..\..\Program Files\FreeFileSync\FreeFileSync.exe
Source: RealTimeSync.lnk.9.drLNK file: ..\..\..\Program Files\FreeFileSync\RealTimeSync.exe
Source: FreeFileSync.lnk0.9.drLNK file: ..\..\..\..\..\Program Files\FreeFileSync\FreeFileSync.exe
Source: RealTimeSync.lnk0.9.drLNK file: ..\..\..\..\..\Program Files\FreeFileSync\RealTimeSync.exe
Source: FreeFileSync.lnk1.9.drLNK file: ..\..\..\..\..\..\..\Program Files\FreeFileSync\FreeFileSync.exe
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSyncJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\UninstallJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Uninstall\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Uninstall\is-2E3MA.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-T50S2.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-AE0J0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-VDC8T.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-9HG6N.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\is-02RD3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\ResourcesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-12H34.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-FBQ0I.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-57T01.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-1D3QI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-185HH.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-LEJVI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-OE1DV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-EN6V8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-2IM3U.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-1MB2K.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-CRA09.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-GTR9S.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\is-2OB44.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\BinJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-MK0QG.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-DDMAO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-E2MT7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Bin\is-4SAVQ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Uninstall\unins000.msgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDirectory created: C:\Program Files\FreeFileSync\Resources\Animal.datJump to behavior
Source: MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zipStatic file information: File size 20159091 > 1048576
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\FreeFileSync_Win32.pdb{ source: is-MK0QG.tmp.9.dr
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\FreeFileSync.pdbB source: FreeFileSync.exe, 0000000A.00000000.1254697330.0000000000A16000.00000002.00000001.01000000.0000000A.sdmp, FreeFileSync.exe, 00000012.00000000.1371545424.0000000000132000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -arch:IA32 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: is-MK0QG.tmp.9.dr
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\FreeFileSync_x64.pdb source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\v3_purp.csetup_dpossl_x509v3_cache_extensionsALLRANDCIPHERSDIGESTSPKEYPKEY_CRYPTOPKEY_ASN1ENGINE_set_default_string..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\engine\eng_fat.cstr=%s..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x509_cmp.cossl_x509_add_cert_newX509_add_certX509_add_certs-fipsX509_check_private_keyossl_x509_check_private_key0123456789ABCDEFcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -arch:IA32 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.4.0 22 Oct 20243.4.0built on: Thu Oct 24 07:45:30 2024 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Data\Projects\OpenSSL\Build\msvc_v143_win32_release\lib\engines-3"MODULESDIR: "C:\Data\Projects\OpenSSL\Build\msvc_v143_win32_release\lib\ossl-modules"CPUINFO: N/AOSSL_WINCTX: Undefinednot available..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x_all.cSHA512SHAKE256SHA256X509_CRL_digest..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\pem\pem_info.cPEM_X509_INFO_read_bio_exX509 CERTIFICATETRUSTED CERTIFICATE source: is-MK0QG.tmp.9.dr
Source: Binary string: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\engine\tb_rand.c..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x509_obj.cNO X509_NAMEX509_NAME_onelinecompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -arch:IA32 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";os-specific..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\asn1\a_d2i_fp.casn1_d2i_read_biotimed out source: is-MK0QG.tmp.9.dr
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\RealTimeSync_x64.pdb source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1455101516.0000000005170000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\Bin\FreeFileSync_Win32.pdb source: is-MK0QG.tmp.9.dr
Source: Binary string: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\engine\tb_rand.c..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x509_obj.cNO X509_NAMEX509_NAME_onelinecompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";os-specificCPUINFO: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\asn1\a_d2i_fp.casn1_d2i_read_biotimed out source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Data\Projects\FreeFileSync\Build\FreeFileSync.pdb source: FreeFileSync.exe, 0000000A.00000000.1254697330.0000000000A16000.00000002.00000001.01000000.0000000A.sdmp, FreeFileSync.exe, 00000012.00000000.1371545424.0000000000132000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: ..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\v3_purp.csetup_dpossl_x509v3_cache_extensionsALLRANDCIPHERSDIGESTSPKEYPKEY_CRYPTOPKEY_ASN1ENGINE_set_default_string..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\engine\eng_fat.cstr=%s..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x509_cmp.cossl_x509_add_cert_newX509_add_certX509_add_certs-fipsX509_check_private_keyossl_x509_check_private_key0123456789ABCDEFcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.4.0 22 Oct 20243.4.0built on: Thu Oct 24 07:45:18 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Data\Projects\OpenSSL\Build\msvc_v143_x64_release\lib\engines-3"MODULESDIR: "C:\Data\Projects\OpenSSL\Build\msvc_v143_x64_release\lib\ossl-modules"CPUINFO: N/AOSSL_WINCTX: Undefinednot available..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\x509\x_all.cSHA512SHAKE256SHA256X509_CRL_digest..\..\..\..\..\..\Data\Projects\OpenSSL\Source\crypto\pem\pem_info.cPEM_X509_INFO_read_bio_exX509 CERTIFICATETRUSTED CERTIFICATE source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp
Source: FreeFileSync_13.9_Windows_Setup.tmp.3.drStatic PE information: section name: .didata
Source: FreeFileSync_13.9_Windows_Setup.tmp.7.drStatic PE information: section name: .didata
Source: is-2E3MA.tmp.9.drStatic PE information: section name: .didata
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\FreeFileSync_Win32.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\is-9HG6N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Uninstall\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\RealTimeSync_x64.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\is-VDC8T.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Uninstall\is-2E3MA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\is-MK0QG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-11B86.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\is-DDMAO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeFile created: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\is-4SAVQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\RealTimeSync.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\RealTimeSync_Win32.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeFile created: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\FreeFileSync.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\Program Files\FreeFileSync\Bin\is-E2MT7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FreeFileSync.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealTimeSync.lnkJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: IN ORDER TO AVOID CRASHING, EITHER UNINSTALL "NVIDIA NVIEW DESKTOP MANAGER" VERSION 148.47, OR UPDATE YOUR NVIDIA GRAPHICS CARD DRIVERS TO A NEWER VERSION.) WAS FOUND ON YOUR SYSTEM AND APPARENTLY CAUSED FREEFILESYNC TO CRASH.FAILED TO GET CRASH INFO FOR "VSFILEHANDLER_64.DLL": ASWHOOK.DLLVSFILEHANDLER_64.DLL
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1455101516.0000000005170000.00000004.00001000.00020000.00000000.sdmp, is-MK0QG.tmp.9.drBinary or memory string: IN ORDER TO AVOID CRASHING, EITHER UNINSTALL "VISUAL STUDIO 2022 PREVIEW", OR UPDATE TO A NEWER VERSION.WINMM.DLLASWHOOK.DLLTHE AVAST VIRUS SCANNER WAS FOUND ON YOUR SYSTEM (%X) AND APPARENTLY CAUSED FREEFILESYNC TO CRASH DURING SOUND PLAYBACK.
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1455101516.0000000005170000.00000004.00001000.00020000.00000000.sdmp, is-MK0QG.tmp.9.drBinary or memory string: 3. SEND THE LINKFAILED TO GET FILE INFO FOR "ASWHOOK.DLL": A CRASH DUMP FILE WAS WRITTEN:
Source: FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: IN ORDER TO AVOID CRASHING, EITHER UNINSTALL "VISUAL STUDIO 2022 PREVIEW", OR UPDATE TO A NEWER VERSION.THE AVAST VIRUS SCANNER WAS FOUND ON YOUR SYSTEM (%X) AND APPARENTLY CAUSED FREEFILESYNC TO CRASH DURING SOUND PLAYBACK.FAILED TO GET FILE INFO FOR "ASWHOOK.DLL": WINMM.DLL
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5246Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4519Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\Bin\FreeFileSync_Win32.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\is-9HG6N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\Bin\RealTimeSync_x64.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\Bin\is-MK0QG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-11B86.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\Bin\is-4SAVQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\RealTimeSync.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\Bin\RealTimeSync_Win32.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpDropped PE file which has not been started: C:\Program Files\FreeFileSync\Bin\is-E2MT7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp TID: 880Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6928Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: FreeFileSync_x64.exe, 00000013.00000003.1402209329.000002673A136000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: FreeFileSync_13.9_Windows_Setup.exeBinary or memory string: 7xwVMcI
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000002.1484037918.0000000000BCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: is-2IM3U.tmp.9.drBinary or memory string: #1DQemu}}
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000002.1484037918.0000000000BCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1465474308.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1454606163.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000002.1476190448.0000000000C8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: FreeFileSync_x64.exe, 00000013.00000002.1417327066.000002673A131000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1454826977.0000000000C5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWj
Source: FreeFileSync_x64.exe, 00000013.00000002.1415811333.0000026737FDD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files\FreeFileSync\FreeFileSync.exeProcess created: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe "C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe" ffs_setup_finalizeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp "c:\users\user\appdata\local\temp\is-pu3lu.tmp\freefilesync_13.9_windows_setup.tmp" /sl5="$a0190,19508176,913920,c:\users\user\appdata\local\temp\temp1_mde_file_sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\freefilesync_13.9_windows_setup.exe" /spawnwnd=$40290 /notifywnd=$402ca
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp "c:\users\user\appdata\local\temp\is-pu3lu.tmp\freefilesync_13.9_windows_setup.tmp" /sl5="$a0190,19508176,913920,c:\users\user\appdata\local\temp\temp1_mde_file_sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\freefilesync_13.9_windows_setup.exe" /spawnwnd=$40290 /notifywnd=$402ca Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exeQueries volume information: C:\Users\user\AppData\Local\Temp\is-11B86.tmp\img_50.jpg VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeQueries volume information: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe VolumeInformationJump to behavior
Source: C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E BlobJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link		12
Command and Scripting Interpreter		1
Registry Run Keys / Startup Folder		11
Process Injection		3
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA Secrets2
System Owner/User Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync21
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583318 Sample: MDE_File_Sample_017466bb6ff... Startdate: 02/01/2025 Architecture: WINDOWS Score: 52 52 api.freefilesync.org 2->52 56 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->56 11 FreeFileSync_13.9_Windows_Setup.exe 2 2->11         started        14 rundll32.exe 2->14         started        signatures3 process4 file5 50 C:\...\FreeFileSync_13.9_Windows_Setup.tmp, PE32 11->50 dropped 16 FreeFileSync_13.9_Windows_Setup.tmp 1 11->16         started        process6 process7 18 FreeFileSync_13.9_Windows_Setup.exe 2 16->18         started        file8 40 C:\...\FreeFileSync_13.9_Windows_Setup.tmp, PE32 18->40 dropped 21 FreeFileSync_13.9_Windows_Setup.tmp 53 41 18->21         started        process9 dnsIp10 54 api.freefilesync.org 104.21.2.160, 443, 49708 CLOUDFLARENETUS United States 21->54 42 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->42 dropped 44 C:\Users\user\AppData\...\FreeFileSync.exe, PE32 21->44 dropped 46 C:\Program Files\FreeFileSync\is-VDC8T.tmp, PE32 21->46 dropped 48 13 other files (none is malicious) 21->48 dropped 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->60 26 powershell.exe 23 21->26         started        29 FreeFileSync.exe 21->29         started        31 FreeFileSync.exe 1 21->31         started        file11 signatures12 process13 signatures14 62 Loading BitLocker PowerShell Module 26->62 33 conhost.exe 26->33         started        35 WmiPrvSE.exe 26->35         started        37 FreeFileSync_x64.exe 6 29->37         started        process15 signatures16 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->58

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\FreeFileSync\Bin\FreeFileSync_Win32.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\RealTimeSync_Win32.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\RealTimeSync_x64.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\is-4SAVQ.tmp0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\is-DDMAO.tmp0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\is-E2MT7.tmp0%ReversingLabs
C:\Program Files\FreeFileSync\Bin\is-MK0QG.tmp0%ReversingLabs
C:\Program Files\FreeFileSync\FreeFileSync.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\RealTimeSync.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\Uninstall\is-2E3MA.tmp0%ReversingLabs
C:\Program Files\FreeFileSync\Uninstall\unins000.exe (copy)0%ReversingLabs
C:\Program Files\FreeFileSync\is-9HG6N.tmp0%ReversingLabs
C:\Program Files\FreeFileSync\is-VDC8T.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-11B86.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.freefilesync.org/email_notifystatusokServer0%Avira URL Cloudsafe
https://FreeFileSync.orgFhttps://FreeFileSync.org/manual.php0%Avira URL Cloudsafe
http://subca.ocsp-c0%Avira URL Cloudsafe
https://api.freefilesync.org/latest_changes?0%Avira URL Cloudsafe
https://api.freefilesync.org/auto_updater&Home0%Avira URL Cloudsafe
http://127.0.0.1:GETacceptHTTP/1.00%Avira URL Cloudsafe
https://api.freefilesync.org/latest_changes?https://freefilesync.org/faq.php#donation-editionInvalid0%Avira URL Cloudsafe
http://www.wxwidgets.org0%Avira URL Cloudsafe
https://api.freefilesync.org/email_notifylog_warning_totallog_error_totalffs_versiontxCannot0%Avira URL Cloudsafe
https://api.freefilesync.org/K0%Avira URL Cloudsafe
https://api.freefilesync.org/activate_installationvenosdusrmodzadf%231d34kjjfInstall.datosffsRequire0%Avira URL Cloudsafe
https://api.freefilesync.org:443/new_installation0%Avira URL Cloudsafe
https://api.freefilesync.org/latest_version&Auto-updateCheck0%Avira URL Cloudsafe
https://api.freefilesync.org/activate_installationkeystd::timecompile0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
api.freefilesync.org
104.21.2.160
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUFreeFileSync_13.9_Windows_Setup.exefalse
      		high
      https://freefilesync.org/thank-you.php?https://freefilesync.org/business.php?Registered.datInstall.dis-MK0QG.tmp.9.drfalse
        		high
        https://drive.google.com/drive/folders/ItemFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
          		high
          https://freefilesync.org/images/log/msg-warning.pngFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
            		high
            https://freefilesync.org/images/log/clock.pngFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
              		high
              http://repository.certum.pl/ccsca2021.cer0FreeFileSync_13.9_Windows_Setup.exefalse
                		high
                https://freefilesync.org/manual.php?topic=schedule-a-batch-job&CancelTheFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                  		high
                  https://curl.se/docs/hsts.htmlFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
                    		high
                    https://freefilesync.org/manual.php?topic=realtimesync&ViewFreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1455101516.0000000005170000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://freefilesync.org/donateShareis-MK0QG.tmp.9.drfalse
                        		high
                        https://www.remobjects.com/psFreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1234543664.000000007F0BB000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1234132185.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000000.1236073723.0000000000661000.00000020.00000001.01000000.00000007.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000000.1247153771.000000000029D000.00000020.00000001.01000000.00000009.sdmp, is-2E3MA.tmp.9.drfalse
                          		high
                          https://www.innosetup.com/FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1234543664.000000007F0BB000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1234132185.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000000.1236073723.0000000000661000.00000020.00000001.01000000.00000007.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000000.1247153771.000000000029D000.00000020.00000001.01000000.00000009.sdmp, is-2E3MA.tmp.9.drfalse
                            		high
                            https://freefilesync.org/manual.php?topic=freefilesyncwxFileDialogBase::GetPathC:is-MK0QG.tmp.9.drfalse
                              		high
                              http://ccsca2021.ocsp-certum.com05FreeFileSync_13.9_Windows_Setup.exefalse
                                		high
                                https://FreeFileSync.orgFreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1486152239.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000007.00000003.1478458861.0000000002C66000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  https://freefilesync.org/manual.php?topic=versioningNamingis-MK0QG.tmp.9.drfalse
                                    		high
                                    https://freefilesync.org/manual.php?topic=schedule-batch-jobs)is-AE0J0.tmp.9.drfalse
                                      		high
                                      http://www.certum.pl/CPS0FreeFileSync_13.9_Windows_Setup.exefalse
                                        		high
                                        https://freefilesync.org/images/log/is-MK0QG.tmp.9.drfalse
                                          		high
                                          https://freefilesync.org/manual.php?topic=freefilesyncFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                            		high
                                            https://api.freefilesync.org/email_notifystatusokServerFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://freefilesync.org/images/log/email_short_txtemail_short_htmlsync_resultprocessed_itemsprocessFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                              		high
                                              http://crl.certum.pl/ctnca.crl0kFreeFileSync_13.9_Windows_Setup.exefalse
                                                		high
                                                https://freefilesync.org/images/log/msg-error.pngFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
                                                  		high
                                                  https://freefilesync.org/manual.php?topic=versioningMoveFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                    		high
                                                    https://www.apache.org/licenses/FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1470172733.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1465301481.0000000005BC1000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1259262367.0000000000BFC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://curl.se/docs/alt-svc.htmlFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
                                                        		high
                                                        https://freefilesync.org/manual.php?topic=comparison-settingsHandleFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                          		high
                                                          https://freefilesync.org/faq.php#donation-editionFreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1232791829.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000003.1237693845.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000007.00000003.1478458861.0000000002C0B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1466761230.0000000003746000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1309008097.0000000000C02000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1470172733.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1338955922.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000002.1475877172.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1466256543.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1259262367.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000002.1477127157.0000000005B90000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1472744428.0000000000C01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://freefilesync.org/get_latest.phpFreeZZLocalMachinePortableffs_variantinstallation_typeDonatiois-MK0QG.tmp.9.drfalse
                                                              		high
                                                              https://github.com/keymanapp/keyman/issues/1723Failedis-MK0QG.tmp.9.drfalse
                                                                		high
                                                                https://api.freefilesync.org/email_notifylog_warning_totallog_error_totalffs_versiontxCannotis-MK0QG.tmp.9.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://127.0.0.1:FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
                                                                  		high
                                                                  https://freefilesync.org/faq.php#businessFreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1232791829.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000003.1237693845.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000007.00000003.1478458861.0000000002C0B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1466761230.0000000003746000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1309008097.0000000000C02000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1470172733.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1338955922.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000002.1475877172.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1466256543.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1259262367.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000002.1477127157.0000000005B90000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1472744428.0000000000C01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://freefilesync.org/images/log/log.pngFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
                                                                      		high
                                                                      https://freefilesync.org/thank-you.php?InvalidFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                        		high
                                                                        http://subca.ocsp-cFreeFileSync_x64.exe, 00000013.00000002.1418537293.000002673A35D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://api.freefilesync.org/latest_changes?FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://freefilesync.org/manual.php?topic=schedule-a-batch-job&Showis-MK0QG.tmp.9.drfalse
                                                                          		high
                                                                          https://winmerge.org/)is-AE0J0.tmp.9.drfalse
                                                                            		high
                                                                            https://FreeFileSync.orgFhttps://FreeFileSync.org/manual.phpFreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1232791829.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000003.1237693845.00000000035D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://freefilesync.org/activate-installation.php?FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
                                                                              		high
                                                                              https://freefilesync.org/thank-you.php?FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
                                                                                		high
                                                                                https://freefilesync.org/tutorials.php)is-AE0J0.tmp.9.drfalse
                                                                                  		high
                                                                                  https://freefilesync.org/images/FreeFileSync.pngFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
                                                                                    		high
                                                                                    https://freefilesync.org/activate-installation.php?%xis-MK0QG.tmp.9.drfalse
                                                                                      		high
                                                                                      https://freefilesync.org/activate-installation.php?FailedFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                        		high
                                                                                        https://freefilesync.org/forumManyis-MK0QG.tmp.9.drfalse
                                                                                          		high
                                                                                          https://freefilesync.org/manual.php?topic=exclude-filesShowis-MK0QG.tmp.9.drfalse
                                                                                            		high
                                                                                            https://freefilesync.org/manual.php?topic=ftp-setupAccessFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                              		high
                                                                                              http://repository.certum.pl/ctsca2021.cer0AFreeFileSync_13.9_Windows_Setup.exefalse
                                                                                                		high
                                                                                                https://freefilesync.org/manual.php?topic=external-applications%item_name%Fileis-MK0QG.tmp.9.drfalse
                                                                                                  		high
                                                                                                  http://crl.certum.pl/ctsca2021.crl0oFreeFileSync_13.9_Windows_Setup.exefalse
                                                                                                    		high
                                                                                                    https://freefilesync.org/business.php?InvalidFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                      		high
                                                                                                      https://api.freefilesync.org/auto_updater&Homeis-MK0QG.tmp.9.drfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://ccsca2021.crl.certum.pl/ccsca2021.crl0sFreeFileSync_13.9_Windows_Setup.exefalse
                                                                                                        		high
                                                                                                        https://drive.google.com/drive/folders/%xis-MK0QG.tmp.9.drfalse
                                                                                                          		high
                                                                                                          http://127.0.0.1:GETacceptHTTP/1.0FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://freefilesync.org/images/log/ItemsFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                            		high
                                                                                                            https://freefilesync.org/manual.php?topic=ftp-setup)is-AE0J0.tmp.9.drfalse
                                                                                                              		high
                                                                                                              https://freefilesync.org/manual.php?topic=daylight-saving-timeHandleis-MK0QG.tmp.9.drfalse
                                                                                                                		high
                                                                                                                https://freefilesync.org/manual.php?topic=comparison-settingsMoreis-MK0QG.tmp.9.drfalse
                                                                                                                  		high
                                                                                                                  https://github.com/keymanapp/keyman/issues/1723keyman64.dllFailedFreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1455101516.0000000005170000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.wxwidgets.orgFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://freefilesync.org/faq.php#donation-editionFFS_DOWNLOAD_PATHFailedis-MK0QG.tmp.9.drfalse
                                                                                                                      		high
                                                                                                                      https://www.google.com/Movedis-MK0QG.tmp.9.drfalse
                                                                                                                        		high
                                                                                                                        http://subca.ocsp-certum.com05FreeFileSync_13.9_Windows_Setup.exefalse
                                                                                                                          		high
                                                                                                                          https://github.com/keymanapp/keyman/issues/1723TheFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://subca.ocsp-certum.com02FreeFileSync_13.9_Windows_Setup.exefalse
                                                                                                                              		high
                                                                                                                              http://subca.ocsp-certum.com01FreeFileSync_13.9_Windows_Setup.exefalse
                                                                                                                                		high
                                                                                                                                http://crl.certum.pl/ctnca2.crl0lFreeFileSync_13.9_Windows_Setup.exefalse
                                                                                                                                  		high
                                                                                                                                  http://repository.certum.pl/ctnca2.cer09FreeFileSync_13.9_Windows_Setup.exefalse
                                                                                                                                    		high
                                                                                                                                    https://freefilesync.org/manual.php?topic=external-applicationsParentFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://api.freefilesync.org/KFreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1465474308.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1472129478.0000000000C5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://freefilesync.org/images/log/file.pngFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
                                                                                                                                        		high
                                                                                                                                        https://freefilesync.org/donateFreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1232791829.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000003.1237693845.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000007.00000003.1478458861.0000000002C0B000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1466761230.0000000003746000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1470172733.00000000027E9000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1468326350.0000000003975000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.9.drfalse
                                                                                                                                          		high
                                                                                                                                          https://freefilesync.org/manual.php?topic=daylight-saving-time1FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://api.freefilesync.org/latest_changes?https://freefilesync.org/faq.php#donation-editionInvalidFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://repository.certum.pl/ctnca.cer09FreeFileSync_13.9_Windows_Setup.exefalse
                                                                                                                                              		high
                                                                                                                                              https://freefilesync.org/manual.php?topic=performanceHowis-MK0QG.tmp.9.drfalse
                                                                                                                                                		high
                                                                                                                                                https://freefilesync.org/forum1.ActivateFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://freefilesync.org/manual.php?topic=macros)is-AE0J0.tmp.9.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://FreeFileSync.org/manual.php)FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1486152239.0000000002D5C000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000007.00000003.1478458861.0000000002C7C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.certum.pl/CPS0FreeFileSync_13.9_Windows_Setup.exefalse
                                                                                                                                                        		high
                                                                                                                                                        https://freefilesync.org/manual.php?topic=performanceParallelFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://api.freefilesync.org/activate_installationkeystd::timecompileis-MK0QG.tmp.9.drfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://www.codeproject.com/Articles/1144/Beating-the-Daylight-Savings-Time-bug-and-getting)is-AE0J0.tmp.9.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://FreeFileSync.org/manual.php1FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000003.1481735992.000000000274C000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1470172733.00000000028A4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://freefilesync.org/manual.php?topic=comparison-settings)is-AE0J0.tmp.9.drfalse
                                                                                                                                                                		high
                                                                                                                                                                http://www.dk-soft.org/FreeFileSync_13.9_Windows_Setup.exe, 00000003.00000003.1232791829.0000000003200000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000004.00000003.1237693845.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.exe, 00000007.00000003.1478458861.0000000002B63000.00000004.00001000.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1468326350.0000000003992000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://freefilesync.org/manual.php?topic=variable-drive-letters)is-AE0J0.tmp.9.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://freefilesync.org/donateSupportFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://freefilesync.org/manual.php?topic=exclude-filesInclude:LocalFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://api.freefilesync.org/latest_version&Auto-updateCheckis-MK0QG.tmp.9.drfalse
                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://freefilesync.org/get_latest.phpos_version64ffs_variantos_namedip_scaleffs_lang32os_archDonatFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://api.freefilesync.org/activate_installationvenosdusrmodzadf%231d34kjjfInstall.datosffsRequireFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://freefilesync.org/business.php?FreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmp, is-MK0QG.tmp.9.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://freefilesync.org/manual.php?topic=ftp-setupPromptis-MK0QG.tmp.9.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://freefilesync.org/manual.php?topic=synchronization-settingsDetectFreeFileSync_x64.exe, 00000013.00000000.1384934366.00007FF7F4B1E000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://api.freefilesync.org:443/new_installationFreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1454826977.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, FreeFileSync_13.9_Windows_Setup.tmp, 00000009.00000003.1472129478.0000000000C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                                		unknown

                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                Public IPs

                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                104.21.2.160
                                                                                                                                                                                		api.freefilesync.orgUnited States
                                                                                                                                                                                		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                General Information

                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                Analysis ID:1583318
                                                                                                                                                                                Start date and time:2025-01-02 13:28:46 +01:00
                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                Overall analysis duration:0h 5m 55s
                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                Report type:full
                                                                                                                                                                                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                Number of analysed new started processes analysed:24
                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                Number of injected processes analysed:1
                                                                                                                                                                                Technologies:
                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                Sample name:MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip
                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                Classification:mal52.evad.winZIP@17/68@1/1
                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                • Found application associated with file extension: .zip

                                                                                                                                                                                Warnings

                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 184.28.90.27, 52.149.20.212, 204.79.197.200
                                                                                                                                                                                • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                Simulations

                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                07:29:38API Interceptor11x Sleep call for process: powershell.exe modified
                                                                                                                                                                                07:29:46API Interceptor2x Sleep call for process: FreeFileSync_13.9_Windows_Setup.tmp modified

                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                IPs

                                                                                                                                                                                No context

                                                                                                                                                                                Domains

                                                                                                                                                                                No context

                                                                                                                                                                                ASNs

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                CLOUDFLARENETUShttps://www.ecorfan.org/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.17.24.14
                                                                                                                                                                                https://debeeyardelia.pages.devGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 188.114.96.3
                                                                                                                                                                                Setup.exe.7zGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 172.64.41.3
                                                                                                                                                                                http://www.johnlewis-partnerships.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.18.43.2
                                                                                                                                                                                https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.21.0.170
                                                                                                                                                                                1.ps1Get hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                                                                                                                • 104.21.96.1
                                                                                                                                                                                random(4).exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                • 172.67.129.178
                                                                                                                                                                                inv#12180.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                • 172.67.182.198

                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1Setup.exe.7zGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 104.21.2.160
                                                                                                                                                                                176.113.115.170.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                                • 104.21.2.160
                                                                                                                                                                                ETVk1yP43q.exeGet hashmaliciousAZORultBrowse
                                                                                                                                                                                • 104.21.2.160
                                                                                                                                                                                UhsjR3ZFTD.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 104.21.2.160
                                                                                                                                                                                KRNL.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 104.21.2.160
                                                                                                                                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 104.21.2.160
                                                                                                                                                                                SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 104.21.2.160
                                                                                                                                                                                web44.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 104.21.2.160

                                                                                                                                                                                Dropped Files

                                                                                                                                                                                No context

                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                C:\Program Files\FreeFileSync\Bin\FreeFileSync_Win32.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):15743600
                                                                                                                                                                                Entropy (8bit):6.676478492192778
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:393216:lK+Z2WzDVJMtn6w81osfhZGuOzmo1UPBQba:lK3WzDVJg6ZPfauOmeUC
                                                                                                                                                                                MD5:6EAD4B37E3E54E11161907B7A8946F8B
                                                                                                                                                                                SHA1:3AFAA2CE6D8662F1EE8841D08C11EB4AEAA851CA
                                                                                                                                                                                SHA-256:7DEC5B9507A5EE363CD2BB66D7AED183702FCE29291AEED4B75838126810D9CB
                                                                                                                                                                                SHA-512:0650E364110B3F7D8887545E374B7B5D172A188C57E52F847046032C323AE69F9027EFC3EB61D485368319666A15AFD0C27EE683348632F4EFD1DBE15595FECA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........5w..[$..[$..[$..X%..[$..\%..[$.9.$..[$.9_%..[$.9X%..[$.9^%..[$..^%..[$.._%..[$..]%..[$..Z%..[$..Z$.[$.:_%.[$.:_%.[$.:^%..[$.9R%@.[$.9.$..[$.9Y%..[$Rich..[$................PE..L.....Tg...............*.8...<J.....xH.......P....@.......................................@..................................5...........j..............p(......<....J..T....................K......(...@............P......H0.. ....................text...h6.......8.................. ..`.rdata...'0..P...(0..<..............@..@.data................d..............@....rsrc....j.......l..................@..@.reloc..<............^..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):17732208
                                                                                                                                                                                Entropy (8bit):6.5078627737248596
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:393216:W7ndm7EDXrvLbAu/DziINa8ocKlq7RCKJ:W707EDZ7
                                                                                                                                                                                MD5:9C31F370631A40917DF397F40C0772DB
                                                                                                                                                                                SHA1:FF7C84DD75DAF2C3B9D44113D8D6303E1F8AC9CB
                                                                                                                                                                                SHA-256:022C26BA9B5E3FE6B8B3290B4C4B939D6DD766E425BBD3AD99FBFAE739E911E3
                                                                                                                                                                                SHA-512:F6BAA74EBBB713422807C49C5EA31D3A61656E7750AC42F35BF7629D5FCA71BECB4DB1DAC447194DC78B7909ADB357754E291FD0DFCED6D2B9DABB225E0D2C7E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......p.J44.$g4.$g4.$g..'f..$g..#f5.$g%P.g<.$g%P f .$g%P'f:.$g%P!f^.$g..!f..$g.. f..$g.."f5.$g..%f..$g4.%gb.$g.S fk.$g|S f|.$g|S!f_.$g.P-f..$g.P.g5.$g.P&f5.$gRich4.$g........................PE..d.....Tg.........."....*....r[................@.............................`......6.....`.................................................p?.......p...j......,....j..p(......$v..l...T.......................(.......@..............0...t8.. ....................text...I.......................... ..`.rdata..^.@......@................@..@.data...i?.......r...v..............@....pdata..,...........................@..@.rsrc....j...p...l..................@..@.reloc..$v.......x..................@..B........................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Bin\RealTimeSync_Win32.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):7277680
                                                                                                                                                                                Entropy (8bit):6.6027141847884945
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:196608:F3cuVDkD08cv6+JFLUdKreojYmI+v+i/FZBTa:BVJfv6+PT/LI+2KFm
                                                                                                                                                                                MD5:51DDC8386A8E2038D5B161A827518334
                                                                                                                                                                                SHA1:0DF90D95CB4896DE91AC89390B73FA496E2684A5
                                                                                                                                                                                SHA-256:2F5873807C4260C7A30DB0BB87AA59D36D755E9E5041B10C4302AE3B28E6E0D9
                                                                                                                                                                                SHA-512:BFDF7F83B2D098CC75FA3F48079556ADB8400BD858FBC4AAF4E65ED088E3E73723BF06732EA93E74EDEA60D188F0A27321AB57032DB365488A06D23EA50D3B78
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........k.q...q...q.......q......tq.......q.......q.......q.......q.......q.......q...q..cs.......q.......p..-....q..-....q..-....q..Rich.q..........................PE..L.....Tg...............*..L...&.....sl=...... L...@..........................@r.......o...@...................................d.......i...............n.p(....k..F..Ht].T....................t]......s].@............ L..............................text.....L.......L................. ..`.rdata....... L.......L.............@..@.data...p.... e.......e.............@....rsrc.........i.......f.............@..@.reloc...F....k..H....h.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Bin\RealTimeSync_x64.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):7765104
                                                                                                                                                                                Entropy (8bit):6.495639480068131
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:196608:5iL+17hE7wVd3kpdwnnziRUXP2Ry9sLIBa:AL+17hE7wVd3kD
                                                                                                                                                                                MD5:730CE133466E06C8E7A3089053A53979
                                                                                                                                                                                SHA1:5BD7C9513C81E3B1F86BF9D008CD2D9684867476
                                                                                                                                                                                SHA-256:D5BA33ACDC6316E3BFDC0085D7BC5C60EA69F56BC9AD0A9B6115B279D6EA3B14
                                                                                                                                                                                SHA-512:4F58EE5745168314D046B2EF84C45D153C29C1FBB04BE884A5EC77D8DB6D8C48FA9BA701B461BA961C784B8535A2564402FC6F2B8FA0E380D1611994074CE333
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........d..............}......}..1..................................}......}......}..........3................h.......h.......h.......Rich............................PE..d.....Tg.........."....*.`M..j,.......A........@..............................y.....Q_w...`.................................................t+m.......u.......r.\....Tv.p(....x.T.....b.T.....................b.(...@.b.@............pM.p............................text....^M......`M................. ..`.rdata..`....pM......dM.............@..@.data...|n...pm......bm.............@....pdata..\.....r......Xo.............@..@.rsrc.........u......dr.............@..@.reloc..T.....x......|t.............@..B........................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Bin\is-4SAVQ.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):7765104
                                                                                                                                                                                Entropy (8bit):6.495639480068131
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:196608:5iL+17hE7wVd3kpdwnnziRUXP2Ry9sLIBa:AL+17hE7wVd3kD
                                                                                                                                                                                MD5:730CE133466E06C8E7A3089053A53979
                                                                                                                                                                                SHA1:5BD7C9513C81E3B1F86BF9D008CD2D9684867476
                                                                                                                                                                                SHA-256:D5BA33ACDC6316E3BFDC0085D7BC5C60EA69F56BC9AD0A9B6115B279D6EA3B14
                                                                                                                                                                                SHA-512:4F58EE5745168314D046B2EF84C45D153C29C1FBB04BE884A5EC77D8DB6D8C48FA9BA701B461BA961C784B8535A2564402FC6F2B8FA0E380D1611994074CE333
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........d..............}......}..1..................................}......}......}..........3................h.......h.......h.......Rich............................PE..d.....Tg.........."....*.`M..j,.......A........@..............................y.....Q_w...`.................................................t+m.......u.......r.\....Tv.p(....x.T.....b.T.....................b.(...@.b.@............pM.p............................text....^M......`M................. ..`.rdata..`....pM......dM.............@..@.data...|n...pm......bm.............@....pdata..\.....r......Xo.............@..@.rsrc.........u......dr.............@..@.reloc..T.....x......|t.............@..B........................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Bin\is-DDMAO.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):17732208
                                                                                                                                                                                Entropy (8bit):6.5078627737248596
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:393216:W7ndm7EDXrvLbAu/DziINa8ocKlq7RCKJ:W707EDZ7
                                                                                                                                                                                MD5:9C31F370631A40917DF397F40C0772DB
                                                                                                                                                                                SHA1:FF7C84DD75DAF2C3B9D44113D8D6303E1F8AC9CB
                                                                                                                                                                                SHA-256:022C26BA9B5E3FE6B8B3290B4C4B939D6DD766E425BBD3AD99FBFAE739E911E3
                                                                                                                                                                                SHA-512:F6BAA74EBBB713422807C49C5EA31D3A61656E7750AC42F35BF7629D5FCA71BECB4DB1DAC447194DC78B7909ADB357754E291FD0DFCED6D2B9DABB225E0D2C7E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......p.J44.$g4.$g4.$g..'f..$g..#f5.$g%P.g<.$g%P f .$g%P'f:.$g%P!f^.$g..!f..$g.. f..$g.."f5.$g..%f..$g4.%gb.$g.S fk.$g|S f|.$g|S!f_.$g.P-f..$g.P.g5.$g.P&f5.$gRich4.$g........................PE..d.....Tg.........."....*....r[................@.............................`......6.....`.................................................p?.......p...j......,....j..p(......$v..l...T.......................(.......@..............0...t8.. ....................text...I.......................... ..`.rdata..^.@......@................@..@.data...i?.......r...v..............@....pdata..,...........................@..@.rsrc....j...p...l..................@..@.reloc..$v.......x..................@..B........................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Bin\is-E2MT7.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):7277680
                                                                                                                                                                                Entropy (8bit):6.6027141847884945
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:196608:F3cuVDkD08cv6+JFLUdKreojYmI+v+i/FZBTa:BVJfv6+PT/LI+2KFm
                                                                                                                                                                                MD5:51DDC8386A8E2038D5B161A827518334
                                                                                                                                                                                SHA1:0DF90D95CB4896DE91AC89390B73FA496E2684A5
                                                                                                                                                                                SHA-256:2F5873807C4260C7A30DB0BB87AA59D36D755E9E5041B10C4302AE3B28E6E0D9
                                                                                                                                                                                SHA-512:BFDF7F83B2D098CC75FA3F48079556ADB8400BD858FBC4AAF4E65ED088E3E73723BF06732EA93E74EDEA60D188F0A27321AB57032DB365488A06D23EA50D3B78
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........k.q...q...q.......q......tq.......q.......q.......q.......q.......q.......q...q..cs.......q.......p..-....q..-....q..-....q..Rich.q..........................PE..L.....Tg...............*..L...&.....sl=...... L...@..........................@r.......o...@...................................d.......i...............n.p(....k..F..Ht].T....................t]......s].@............ L..............................text.....L.......L................. ..`.rdata....... L.......L.............@..@.data...p.... e.......e.............@....rsrc.........i.......f.............@..@.reloc...F....k..H....h.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Bin\is-MK0QG.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):15743600
                                                                                                                                                                                Entropy (8bit):6.676478492192778
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:393216:lK+Z2WzDVJMtn6w81osfhZGuOzmo1UPBQba:lK3WzDVJg6ZPfauOmeUC
                                                                                                                                                                                MD5:6EAD4B37E3E54E11161907B7A8946F8B
                                                                                                                                                                                SHA1:3AFAA2CE6D8662F1EE8841D08C11EB4AEAA851CA
                                                                                                                                                                                SHA-256:7DEC5B9507A5EE363CD2BB66D7AED183702FCE29291AEED4B75838126810D9CB
                                                                                                                                                                                SHA-512:0650E364110B3F7D8887545E374B7B5D172A188C57E52F847046032C323AE69F9027EFC3EB61D485368319666A15AFD0C27EE683348632F4EFD1DBE15595FECA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........5w..[$..[$..[$..X%..[$..\%..[$.9.$..[$.9_%..[$.9X%..[$.9^%..[$..^%..[$.._%..[$..]%..[$..Z%..[$..Z$.[$.:_%.[$.:_%.[$.:^%..[$.9R%@.[$.9.$..[$.9Y%..[$Rich..[$................PE..L.....Tg...............*.8...<J.....xH.......P....@.......................................@..................................5...........j..............p(......<....J..T....................K......(...@............P......H0.. ....................text...h6.......8.................. ..`.rdata...'0..P...(0..<..............@..@.data................d..............@....rsrc....j.......l..................@..@.reloc..<............^..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Changelog.txt (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):147223
                                                                                                                                                                                Entropy (8bit):4.884422991548549
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:njjdQgWoXi9Wpsy8tLd3oXU91w28OvY+KlAd7J:TTmy2oks+KAd7J
                                                                                                                                                                                MD5:6E6DBAD61ECC2B74C8150A227CD51FB5
                                                                                                                                                                                SHA1:746924D5F98F9B4428A17CE36FA02B0459E9BC09
                                                                                                                                                                                SHA-256:CF47B6710F5ADD5EB9BF4A4455507A123E17BE212D64A266ED57E1539ACB3EBB
                                                                                                                                                                                SHA-512:A95B93CB659282B978271389681C63964DD85E3E21F42C678A6932E1073D8BBB7A1269898C4CA3FB7017A8FE7496CB11B4A54F043D5C6FC1FB33F2C675C42646
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:FreeFileSync 13.9 [2024-12-07]..------------------------------..Fixed CURLE_SEND_ERROR: OpenSSL SSL_write: SSL_ERROR_SYSCALL, errno 0..Added comparison and sync context menu options for multiple folder pairs..Show file include/exclude filter directly in tooltip..Fixed file not found error when cancelling file up-/download..Fixed showing cancelled config log status after nothing to sync..Updated translation files......FreeFileSync 13.8 [2024-11-04]..------------------------------..Support raw IPv6 server address for (S)FTP..RealTimeSync: Fixed scrollbar when adding/removing folders..Don't set sync direction for partial folder pairs..Uniquely identify partial folder pairs in error message..Fixed network login prompt not showing in Windows 11 24H2......FreeFileSync 13.7 [2024-06-23]..------------------------------..Support copying symlinks between SFTP devices..Fixed input focus not being restored after comparison/sync..Fixed log file pruning not considering selected configuration..Show s

                                                                                                                                                                                C:\Program Files\FreeFileSync\FreeFileSync.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):676464
                                                                                                                                                                                Entropy (8bit):6.18963251148129
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:e+LGHv4E3fx+XjXh0vdb514ocPAwYf7krBl:e+Lov42x+X6lb51+ifwrL
                                                                                                                                                                                MD5:DD8779C4A9D2F47F3C9279F6F7786E69
                                                                                                                                                                                SHA1:6E288BE940E0035DDD3240537EDEEE3991A665A4
                                                                                                                                                                                SHA-256:919322547B2E2D19BED839B8889A204A3E34742648736E2114F565751FD32351
                                                                                                                                                                                SHA-512:4D710A8D95C7CFFC786743E0DA26D5A1B7CB4C9407EDD789EFA390BB2BA4A1CE670E98484E75BEFBBAF3367CE81B007CD3395F9B4F8ED2900FA086CEA7C995EC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........|.c/.c/.c/..`..c/..f.C.c/..`...c/..g...c/..f...c/..g...c/..e..c/..b...c/.b/..c/o.j..c/o../.c/o.a..c/Rich.c/................PE..L.....Tg...............*.D...2......c........`....@.................................A.....@..................................}...........j...........*..p(...p...1...3..T....................3......P2..@............`..T............................text...jB.......D.................. ..`.rdata...,...`.......H..............@..@.data....e...........v..............@....rsrc....j.......l..................@..@.reloc...1...p...2..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Install.dat (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):22
                                                                                                                                                                                Entropy (8bit):4.459431618637295
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:aI:aI
                                                                                                                                                                                MD5:C810DE60BF6CA1BE2501318BD584C3C3
                                                                                                                                                                                SHA1:95583218CE67FF1702C723EC230A07B26F6A6DA0
                                                                                                                                                                                SHA-256:CAEA72923531102B93E1EACDB25568C4228E138FBCF2D7F31EE65F0A4E00EE5D
                                                                                                                                                                                SHA-512:035E56E3F7AE4CD62D5C0A746041803EC0B8F8F181FB35F19AE86D9C4848ED730CAF0A03B2AFA0E1304E21B43B82E62A96E0CA52EEBB692D3253CA4B3BD15474
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Z....c.,.......1..a.^

                                                                                                                                                                                C:\Program Files\FreeFileSync\Install.dat.9743.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):22
                                                                                                                                                                                Entropy (8bit):4.459431618637295
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:aI:aI
                                                                                                                                                                                MD5:C810DE60BF6CA1BE2501318BD584C3C3
                                                                                                                                                                                SHA1:95583218CE67FF1702C723EC230A07B26F6A6DA0
                                                                                                                                                                                SHA-256:CAEA72923531102B93E1EACDB25568C4228E138FBCF2D7F31EE65F0A4E00EE5D
                                                                                                                                                                                SHA-512:035E56E3F7AE4CD62D5C0A746041803EC0B8F8F181FB35F19AE86D9C4848ED730CAF0A03B2AFA0E1304E21B43B82E62A96E0CA52EEBB692D3253CA4B3BD15474
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Z....c.,.......1..a.^

                                                                                                                                                                                C:\Program Files\FreeFileSync\Install.dat.b2a6.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):30
                                                                                                                                                                                Entropy (8bit):4.840223928941852
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:amDVqLft:aV
                                                                                                                                                                                MD5:4DDD53F3AB6763DA2BAFC5E1F21AA3A0
                                                                                                                                                                                SHA1:58B28082FB102B9570874BCBA7F844DC47A1A0A7
                                                                                                                                                                                SHA-256:97EEE1F695427FC53355738031CF49E844C49A403F3261C3B6B0A0A97DCADB97
                                                                                                                                                                                SHA-512:601647E679374B35B6E6B4C98788752B497860B90611150A52D8E92CF7791AB0E05205913A7824263CB61387A11DD521C32FCC233F34AB3AAE234BF3DE3EDEC1
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Z...-.~.l..D..~:B.b....[....H.

                                                                                                                                                                                C:\Program Files\FreeFileSync\License.rtf (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):52941
                                                                                                                                                                                Entropy (8bit):4.834889561469989
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:4IwnwOuD+WlljeKquwIx0i5D/e1iHdTcoPhpkYp/T/FXOx0Bpm3APzB4D:j1OuljeMr5DGwxUETy0Bpm3Al4D
                                                                                                                                                                                MD5:EE9B7FD879D57A35B5F0F575A1755F71
                                                                                                                                                                                SHA1:D3CA973EAA0EC74845E2E7851A6837AE08906E67
                                                                                                                                                                                SHA-256:ADC61454C4F9DA3C500501D33E2949EC5B0B857C57B3CF2FD172FBFF2BF76CDB
                                                                                                                                                                                SHA-512:D32DBF8B3AB9155F008F1283D4F37225E8B66A71F3E58BC1FED566EA8FC3618773DD73A677C772BE0EA4854D75264A8765EB0A3C480418A73060ED93D4B502CF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deftab709{\fonttbl{\f0\fswiss\fprq2\fcharset0 Segoe UI;}}..{\colortbl ;\red0\green0\blue255;\red0\green0\blue128;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\nowidctlpar\hyphpar0\qc\kerning1\f0\fs26\lang1031 FreeFileSync: Terms of Use\par....\pard\nowidctlpar\hyphpar0\fs22\par..The FreeFileSync standard and {{\field{\*\fldinst{HYPERLINK "https://freefilesync.org/faq.php#donation-edition" }}{\fldrslt{\ul\cf1\cf2\ul Donation\~Edition}}}}\f0\fs22 are for \b private\~use\b0 only.\par..\b\fs11\par..\fs22 Commercial use\b0 requires buying\b \b0 the {{\field{\*\fldinst{HYPERLINK "https://freefilesync.org/faq.php#business" }}{\fldrslt{\ul\cf1\cf2\ul FreeFileSync\~Business\~Edition}}}}\f0\fs22 . This also applies to government organizations.\par....\pard\nowidctlpar\hyphpar0\qc _____________________________________________________________\par....\pard\nowidctlpar\hyphpar0\par..A. GNU General Public License\par..B. wxWidgets License\par

                                                                                                                                                                                C:\Program Files\FreeFileSync\RealTimeSync.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):390256
                                                                                                                                                                                Entropy (8bit):6.134884165717768
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:B5EBllbJaaRqWCMjtIj2UpComPU8kmz7ia0oQhX:BiBllVfRqWCMYQUzeNLQh
                                                                                                                                                                                MD5:93B8B77BAE7AF0FA64E9F59F8C15351E
                                                                                                                                                                                SHA1:A01661073A1E0BB9EC697645EA2F5D36DDD66530
                                                                                                                                                                                SHA-256:F4D1BBDBB75ED4017ADCEF6295DB223D5B633B9AFD88FD016E86434EDB97A262
                                                                                                                                                                                SHA-512:FA804AA8E41647330512F00BDFA70BC6020C6CDC1AF24C2788D65CE7BD495B7007C9D4B119C9CBE571BF9089CF5843A5118690ED3956A2684403638251473D51
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$b..E...E...E...=...E...=..AE...=...E.......E.......E.......E...=...E...=...E...E.. E..l....E..l...E..l....E..Rich.E..................PE..L.....Tg...............*..........................@..........................P...........@....................................P.......................p(... ...%...d..T....................d......Xc..@............................................text...$........................... ..`.rdata..b...........................@..@.data....^...........~..............@....rsrc...............................@..@.reloc...%... ...&..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\Animal.dat

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, progressive, precision 8, 640x338, components 3
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):76482
                                                                                                                                                                                Entropy (8bit):7.989908479124603
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:OE+VAMh0dSrdOpCNiEUE/oLMkjuwGq8xMV8SpdwHH7+v9a7ZT4qW:NO0ArIHELkjuU6MrLwHMs9RW
                                                                                                                                                                                MD5:5B7EC8519C145BFA8F3D8A8326D53364
                                                                                                                                                                                SHA1:F9AB9AB0049256C8537221A461C538D3A50A5ADE
                                                                                                                                                                                SHA-256:449EB4A1EA3211A67AF1BCD292AF9B3FAB6F964920F64E71DF254020ED7557C6
                                                                                                                                                                                SHA-512:9DDF25A698F5A2E46A6BB917ECBE6BBC50FDBD1881F7A65CE41561E63A2DEFB1738912D14621D569AF61BF137877A212BD5F288DD02A657F5504982C640AEA17
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......JFIF.....,.,.....C....................................................................C.......................................................................R........................................................................................z&~.7z..^f...f+5..U.*.Vn.u.z.c).....3.>z^.n..$.....c.w.........#....D.0'...C..u...\`J..K1...87._u.>.QK.W............(].2G-)iH.QWPO.\...N..G9s*.V_.>.zB..R..T..Cvg........T..Q.f...X3~..$.IKv..s...q....@$..5.x..!K..}nn...|.(n.ytS~...!.J.vv.......I\..*.*-.;.T.7UH....cy......K..l..Gu..3....~.....".O~.-.K..0.\+.S."u..:C!..tp..YW"O.a.{....Kr.....s.^F}....R...p.=.gm\.\Ys...J...P..QM..^..f:.\.UvN.w.e.....k.&..$..D..$...]_nL..N...e.....'Rd..].T.7.[%....0U..o..i.).W.T...T.7W........&7..h.NU.I.oq....S..2t'.a.&.U..j.^.-^..wY.:......b..I...H..0.Q.:R.].:.#s._bch..T..j.Wn...d.GH.e..+J.qz.8..........F)*<...3.:.Xk.aU.Vu..*.>e.*...1...z..Q.BKc...............4~YO..r.......`a>t.p..H.L....C."<.. .K.D.BN...*M.....H..

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\Icons.zip (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):351747
                                                                                                                                                                                Entropy (8bit):7.899316585167089
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:CAQnMm4AzR2iT0BeyMcEMHeBs/bhkS/vQQbOY+LX8d3pukVMQyP:CNX0iIBeyf+Bsdkg4yymuhfP
                                                                                                                                                                                MD5:EB2B74B48971C9EE1F8739C047AEC356
                                                                                                                                                                                SHA1:11B2576621F710513B34CCEDC33E86C6DBBE82BF
                                                                                                                                                                                SHA-256:BD77639AE7610479AC31B66534A5AB8B84A3497DFC9DD2007FED40A565E0E7E8
                                                                                                                                                                                SHA-512:D49E6F4F88C700BA6C821B8D20D1745EA456362675E8253307B8CC5B0467AE8506E53DFADDA4A4E1F7FD8D8F4DB0BBA369E4DCB194D3EDAA03A1058F76E4635C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:PK........y..V................about.png.PNG........IHDR... ... .....szz.....tIME.....+2...%....pHYs...#...#.x.?v....gAMA......a.....IDATx...XTW../]1&k,.$&F,.((F.5.P. ....C..3 ...v...Q....m..A...!.A1.V..Q......!Fe....~.{.....=...!.... .W.G'..7.G.<Z.&..-Uy...e....Dg.)......#.OP....u.,^...H...9.K....J~x....].G.`.{.V|]s.i.-]k...;k.m.N.$..........H..^I..;N.E.4c...".o"8.........A.u...D@.u......"s..7..O^.}i........\....]..E.........d6.y..p.8f\...~.e.mo.-e.7..i..x.....n[E....2y.._2.+Sh.Dl..P.=..dbM..v...`.~.V__....n;..wu....X.v..(....4..KS.a......X./m....S...j@&K.t...k.S...M.,.j.....*.x..<...q...<~.....q..*._.a.....,.;.9..k..d.9._..I.c..M.ry.Z.....*..5...{.X....a~..f....t....x....C'.0;.{|..3C.8.a.|..).1.o..~a...4...0..).Ib.f....ST..[.._....x......Zw.3.y...^.$....#..>*:....d........n.....p....G.G0j.i..........MtL\....by..V...Z....e.H[..k $B>c....3WW.Hv............>.<h.....L.9.i.J.C)..c..$...6.o.%.q.....+..6....*.....!..~.?......A.AL.d...1..

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\Languages.zip (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):524890
                                                                                                                                                                                Entropy (8bit):7.998477275593787
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:12288:tHWwVw5n/cZGaKwH3OPaLBu5dTz/QoFk3mTiJYEyRLrO0NOwbVFEL:t2wVw5n63KwHeSLBurtC1a2sDQ
                                                                                                                                                                                MD5:49DF22A8504B30AC0E66D0A8521BEFF2
                                                                                                                                                                                SHA1:2ACDA03760A6EC4D1196197CF83A61FBB8965952
                                                                                                                                                                                SHA-256:AF05178F06ECD3F8E8235DE53A91AAE011D75E6F78772B700D7C6B40D5B60479
                                                                                                                                                                                SHA-512:EAFD5C5DCE9CF45B5DDA23DF702E73F60FDF6DBD163103D17C6D96179F70327896642EE89E071E6980308F0E5E60964F056D2DF86C0F5689BD35B1D0BCC8522C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:PK.........}uY...!zF...T......bulgarian.lng.]_o.Gr.>.....D.@\E. ...c[....8...h...........'.:.....F..l'.`..+....3.(]U.3=..3.. @.......U..Uu.....7z...~..`/.{.....?.....$...e...~.../~..'~....]..}...{<.xy...?.i.l...8..x...[,`......b...=.$.A..$.....~.y...w....q.F}..wx.....o..l.w....x[.=7yS<a..l....9.&,...e...l.....d..evI....G.4p.Gn?q..{_.,.e.O8..1.p.2(.0......L.9.. .....(.x....~8.w.?.-...I.......-.O..:...]Wa.....<..E]..Fn4..X.u.z...`..^~,...Z.G..0.k.M.?..8X....t4.#X..79p.9....A..w..Q...43.#.JHuB.,@.G(...,;........-.s.?V+.)>.5,0.........?.X.*...../.6.F..j......q..ks1.,......L.z.d...N..3..V..4........U.....t......g.....9..R.;.u.. ....q..../...p..7..q}.f...p...*..<J;I.6..8.Y6..{...8.&<n.q...t<X.0.9-F.,.....Gc...;..........B.t...S.IOq...M.Gh....T`.`k...i.{..3/..4.._....yL..e.dF.ff3............7.17...Y.?.b..3.......%(..C&..{f.......h..I...C.'k..~.....AxP..M.;.`.2b....B....v.}!.n.a.'.hw\..G..7d....S.[....TD..r.1...wWlw=xp..s..[-.E....=UA.M...k.z.-..

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\bell.wav (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):102500
                                                                                                                                                                                Entropy (8bit):6.555433845117635
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:DZbfe8QjDm2KS6RZD1FKtHNXM7g4dCJulvE7+O3zTPDOcxuVyyqqLYET7GLpQM8f:DVf2h6RVSmdE0xO3Hb9uMdVLJA
                                                                                                                                                                                MD5:39A54BA919BA15551573DB2D39BA7440
                                                                                                                                                                                SHA1:E595DA7379327C5AFABCE031B75C6573D0A0206A
                                                                                                                                                                                SHA-256:F7EBAF259755C2F7DDBFE48E0D5351EDA8DC974C1C7A954D25EBE97BBF1CEF4A
                                                                                                                                                                                SHA-512:15BF3DBFC055C27AD5AEA4C34874A850A9C97AB24C12E3C2428AC9A7C683E221FF2CA7C6283493272D7B37FA541F4EBC564316186CBDEC8F5F193EA3E3B7915E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF\...WAVEfmt ........D....X......data8...r...!...........j.+...'...=...9.X.0...N...C...R.......+............./...6.l.J...f...........;.5...U.U.......t.....Z.=...B.........9...j...@.>.......1.....W.a.....C.........................1.......+.....0.............................7...4.I...........a.....f.............P...............+.V.2...p.|... ...{.....C.X.<.....N.....^.............].....N........x...........{.........3.............{.....D...{..._.).x./...;.o.Z..... ...`.<.............5.............3.......;.....$...X..X...,...j...O.?.....W...2...o.w.!...%...m.:.y...-.&...G.....................f.|.....\.|.s.....=...........;.O.......d...n...c.$...p...S...............(.............%.................^."...t.g.c.q.........r...9.........................Q.2.....?.Y...$.l...W.......*.....s.....D.....A.....B.H.U.M...|...d.N...b...........7.......'...}.d.......h.......(. .x.....L.Z.q...`...+..I...@.....T.p.z.......9...E...r.G.U.x.y.................7...Q.......#...h...........5...@...Q....._.

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\bell2.wav (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):87678
                                                                                                                                                                                Entropy (8bit):6.600950279412908
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:MihVUU7j10GvDy2s65epfQ3XR7xTv7sHb+SAAVOhYmfE5RpX0+j6q2AcXe4Ldpq8:7UU7j6GjXDpEZAAVhD0+j6ve4hpq8
                                                                                                                                                                                MD5:00E641ECF71AAFBEDF54F6D948CA8B58
                                                                                                                                                                                SHA1:D235AB2E36BBD4974D6628FAAB9622A4D77F9328
                                                                                                                                                                                SHA-256:0D670F271DBC8DDD1F8ADD6C01CDAD1678E8D968A38482A09B69AF2A4E12C3C2
                                                                                                                                                                                SHA-512:AED88A9E8D1611C79F92AD19E5F6C5B0BD67BE9D9A72D62FFE7F99E8BD5FAEC98823EBCF245C88B8E14FCCDFED203532165D36D9DDAABC12303CF043C01D8E84
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFFvV..WAVEfmt ........D....X......dataRV......................4.z.1.U.&.........x...w.......e.F.N...{...$...,.....i.2.......!.~.0...,.....H.I.Q.................*.1...............U.D.....v.g.....0...........V.X.o.j.2.Z.d.1. .........(.P...[.?....................K.-............[.......+...............w...@...N...8.....i.....".....+...N...........F.......%.....N.......E.......=.................T...'.7.U.i...>.j.........!.....M.,...:.........,...Q.......H...&...a...l...............C.......a.........,...e...+...@.0./...".a.&.....1.i...%.........7.......W.....[.,.A...`...>.....V.(.....9.(.;.(...v... ./.S.....#.........P.....(...L.....F.Q.....m...~.......`.......Q.7.1...N.....g.U.....4.................F.S.#.....0.`...*...............R...:.......<...j.............$.E.W.....~...r.P.......N...,.............%.L.....@...H...p.........0..."...L.......|.....#.;...W.....j.:...G.................U.?.....].........R.1.............}.......:.........6.k...P...r.....;...............u.K... .9.....?.

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\cacert.pem (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:Unicode text, UTF-8 text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):236849
                                                                                                                                                                                Entropy (8bit):6.003001911190803
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:ecRqlx9NFqI6FdZL52dTOgSQh1hV1A9W2u2x:ecCnd6fZL5mO41hXA9Wkx
                                                                                                                                                                                MD5:92C13373D7DBE43BDC167479274A43E2
                                                                                                                                                                                SHA1:B0A93C92A2358CD0D9E9D202B6D60B69DF9DAB0B
                                                                                                                                                                                SHA-256:BB1782D281FE60D4A2DCF41BC229ABE3E46C280212597D4ABCC25BDDF667739B
                                                                                                                                                                                SHA-512:26C6FA1AC7BCFD523F9AB9E6C2D971103CCFC610AD0DF504D4E9B064DAD74576D77240C052B808F4C37C9240302A7E973A20F79EE39AC7BF3201A6FA9F0DFA96
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:##.## Bundle of CA Root Certificates.##.## Certificate data from Mozilla as of: Tue Nov 26 13:58:25 2024 GMT.##.## Find updated versions here: https://curl.se/docs/caextract.html.##.## This is a bundle of X.509 certificates of public Certificate Authorities.## (CA). These were automatically extracted from Mozilla's root certificates.## file (certdata.txt). This file can be found in the mozilla source tree:.## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt.##.## It contains the certificates in PEM format and therefore.## can be directly used with curl / libcurl / php_curl, or with.## an Apache+mod_ssl webserver for SSL client authentication..## Just configure this file as the SSLCACertificateFile..##.## Conversion done with mk-ca-bundle.pl version 1.29..## SHA256: 36105b01631f9fc03b1eca779b44a30a1a5890b9bf8dc07ccb001a07301e01cf.##...GlobalSign Root CA.==================.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAA

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\ding.wav (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):67340
                                                                                                                                                                                Entropy (8bit):6.249655199455427
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:8Jcv03vs0BhTFiC7v+CZ7lISS1Q02NVfto7tZ/rGLBTLfI:8CE5jFisv+CDIfiZq7fjt
                                                                                                                                                                                MD5:C13B4139D1E32DCABDB8EEE9E699053D
                                                                                                                                                                                SHA1:2932FD23C0E67A4E63CC720E8DCC094041B1E511
                                                                                                                                                                                SHA-256:D6B7B4D6E7A38E58484FED53BDBB27C0D0097A58E6289BC5C06267C6B2C8D06A
                                                                                                                                                                                SHA-512:0F00B8A6C530F3C05089BC403C2E118D5653E17F19FB1020A2B42BE66289F62EC5E39165AB1DF55C09FFC9E39A57471EB140DBE978CB6EC918A2DEAB7EB4CB66
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF....WAVEfmt ........D....X......data......#.j...............f.J._.......#.U.......t.......,...].....7.......M.......K...*.../...w.2...J.....e.|.p.C.......L...=.......B...........Q.~...6...../.U...............W.:.`...........&.;.%.&."...c...-.Q.....Z.4...Q.(.....?.v...J.s.B.r...............q.......l.i...9.p.U.......#..4.X.=.q.H.........G.............;.......k.....'...k...............B.a.O.1.~.........Y...........t.M...h._.]...P.....O...3.....=.0.........X.....(.....p.>...s.....x...f.5.I...x...............b.......&...j.......C...........<.z.!...6.......F..._.L...........P...g.....y.4.....0...g.h.^.....;.....Y.#..C.+..............k...........v.......9.c.,...x.....E.$.....e.....e......*.........D.....p.....=.................N.j.......I...E...].=......^.t.m........*.....x...........d.*.=............. .n.....[.......U.^.I.....<.|.......&.%.....].D.....]...q.....}...........V.K.x.......#.2.....o.........u.'...L...^.Y.6.9...b.X.........................>...............^...8.......

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\fail.wav (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):35092
                                                                                                                                                                                Entropy (8bit):7.05611679728137
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:89J1rqJ2HjTExdYblpk7epJoAJ/Sc6CdbzCpOAXdGHb:CqJ2H/bl6NAJ6c6qlAXdub
                                                                                                                                                                                MD5:8E77A356049413423D4B090EADAC4BA9
                                                                                                                                                                                SHA1:989854EC030D81E7CBA8441DDB9DD1BF1AED7C87
                                                                                                                                                                                SHA-256:7409AC35B27BA3D05326045F43EE2346679BE37A0CDA4333BFD6BB28E5C0595D
                                                                                                                                                                                SHA-512:68DD934734A3153AB14F6C06FAB6CC84F9E4BA2D3FA19F2A651A0E83BBDD77438E472836FE762BCE1AC2904D7C8B613714878CB7FFB8360C6DAA1422E34EE00F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF....WAVEfmt ........D....X......data.....................................&.7.8...........<.&................................................. ...............................?.).........................-.2...4.s...........M...'.:...T.Q...............7...I...K.......^...j.....=.......'.........k.b...........-...@.,.U...*.....>.............t.r.>....+.....o.....l.......;.......M.+.V.............+...t.)._.x.......U...e.......:...................d.\...y.............0.(.......\.I...S.........f.S.......[...<.....r.~.Q...!.).........G...........@...S.p.......O.r......!....b...............K.............c.g...v...I.l.....P.Y...........\.....9.........w.d.4.......l.H.G.........~.\.......+.............P.............<...R.@.B...o.x...+.\.o.l.:.#.>._.O.3.......g.....C.].0.....o...!.|.........6.....G.....[.K...f...j.....m.}..... .H.......\.......f.Y.8..................(.^.(.........K.........x...A.1...8.....Q...x.6...............U.$.......].R.........,.g...L.W.............#.;...r.N.~.#.v.

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\fail2.wav (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 24000 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):50454
                                                                                                                                                                                Entropy (8bit):7.132841508547479
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:XR8h/Ashig01KTPg+tZXhbLkxmXwvBy4QfSuR37v5qzQRYG/gIez:Xfs0zkjft3fkxmOI4Q6uF7v5qzeJgIez
                                                                                                                                                                                MD5:18BBD6A2A31120E65FBB59909674D339
                                                                                                                                                                                SHA1:2DE3DFC75C04B3C38538F448C13B9C6529676A3D
                                                                                                                                                                                SHA-256:2AC1CEF32CC5A514375AEF53D82B84F5BF7F5463520DA497C3DFCD41FFD0DCDA
                                                                                                                                                                                SHA-512:AE1F60E8AB60A11F1E118F3951480D167A41076ED506913CCD67EE9A6255D41AC5A1E173265E30B8954937903BD028A3147F8F69845D2D18FB21F0562E9CD7F3
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF....WAVEfmt .........]..........data........................................................................................................................................................................................................................................................................................ .......................................................................#.........................../.u...,...9.....L.........P.....M...m.......-...\.J.u...7...`...........+.....~.'....~...............B....!."Q!..M...x.N...B...e.g.........?.....{.I.P.....f...V.....].c.{.d.....T.P.......+..E..3.....#.%......V.......$"N,T1.0.*.!..k.`...7.W.&.C.".}.\...g...).............<.*.=./.....\...z.......e...........N.....-......Z..............).-_*. 7...,.Q.....................D...........|.........u.........w...}.c.....R.R...]...1.2......L.<.j.....j.f....-.e .'.&..%.....................^...!.g.............k.;.M.....&.G...D.....P.......k.....t...l.K.P......=....J.....

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\gong.wav (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):230274
                                                                                                                                                                                Entropy (8bit):5.828753704400131
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:aNjvtDzBKXy1MzW3zioFQwGnJvCAIGLmr:azdzvDnGJ7IGqr
                                                                                                                                                                                MD5:7DFF321C9C0DFBA94C1FD67B621DD759
                                                                                                                                                                                SHA1:DA8910DF016404C38B0C77490D8DEEB15F6FEB73
                                                                                                                                                                                SHA-256:7F6C0F42AF2125813D3FD67E57D2CF885D7D6567FBF076DAF7C13321FBB46D80
                                                                                                                                                                                SHA-512:129E8BB6D545B22B552AD293101084A604E8B493A848DA9C019439F56EE073B124A53639B253E984F4835CAC2B4F907C98DAEEF2B10266E396D89EEBF60F1651
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFFz...WAVEfmt ........D....X......dataV...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\harp.wav (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):182060
                                                                                                                                                                                Entropy (8bit):6.567289215526673
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:HznYojw9VI12joRDa1CxhDkGA6mHMkhcHijrbfr4JWILrqEOkMZrxu2+Hcd1MFq8:HjY98a1+SeSrbf8Tl1MZv8cHMn
                                                                                                                                                                                MD5:E875FAD9206AA9A9F5D48FD9FC46EF69
                                                                                                                                                                                SHA1:D18C4C8B93A2372AF83E613BBE9E447D4D205C7F
                                                                                                                                                                                SHA-256:31DA846077E99BF11F95477B9547513D04DF8048914FA7AC8EC4087B7889C4B0
                                                                                                                                                                                SHA-512:DC4E16216D64DB7A41B357A6C181EDFDAF5ED6B0BEEB640FFFD6F5752583105C9C0CBCD411F7971FA8A7C7C7DE5A85E74AD98DB470AFD1EE4D0432CF9EC2A1D7
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF$...WAVEfmt ........D....X......data................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\is-12H34.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):351747
                                                                                                                                                                                Entropy (8bit):7.899316585167089
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:CAQnMm4AzR2iT0BeyMcEMHeBs/bhkS/vQQbOY+LX8d3pukVMQyP:CNX0iIBeyf+Bsdkg4yymuhfP
                                                                                                                                                                                MD5:EB2B74B48971C9EE1F8739C047AEC356
                                                                                                                                                                                SHA1:11B2576621F710513B34CCEDC33E86C6DBBE82BF
                                                                                                                                                                                SHA-256:BD77639AE7610479AC31B66534A5AB8B84A3497DFC9DD2007FED40A565E0E7E8
                                                                                                                                                                                SHA-512:D49E6F4F88C700BA6C821B8D20D1745EA456362675E8253307B8CC5B0467AE8506E53DFADDA4A4E1F7FD8D8F4DB0BBA369E4DCB194D3EDAA03A1058F76E4635C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:PK........y..V................about.png.PNG........IHDR... ... .....szz.....tIME.....+2...%....pHYs...#...#.x.?v....gAMA......a.....IDATx...XTW../]1&k,.$&F,.((F.5.P. ....C..3 ...v...Q....m..A...!.A1.V..Q......!Fe....~.{.....=...!.... .W.G'..7.G.<Z.&..-Uy...e....Dg.)......#.OP....u.,^...H...9.K....J~x....].G.`.{.V|]s.i.-]k...;k.m.N.$..........H..^I..;N.E.4c...".o"8.........A.u...D@.u......"s..7..O^.}i........\....]..E.........d6.y..p.8f\...~.e.mo.-e.7..i..x.....n[E....2y.._2.+Sh.Dl..P.=..dbM..v...`.~.V__....n;..wu....X.v..(....4..KS.a......X./m....S...j@&K.t...k.S...M.,.j.....*.x..<...q...<~.....q..*._.a.....,.;.9..k..d.9._..I.c..M.ry.Z.....*..5...{.X....a~..f....t....x....C'.0;.{|..3C.8.a.|..).1.o..~a...4...0..).Ib.f....ST..[.._....x......Zw.3.y...^.$....#..>*:....d........n.....p....G.G0j.i..........MtL\....by..V...Z....e.H[..k $B>c....3WW.Hv............>.<h.....L.9.i.J.C)..c..$...6.o.%.q.....+..6....*.....!..~.?......A.AL.d...1..

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\is-185HH.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):87678
                                                                                                                                                                                Entropy (8bit):6.600950279412908
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:MihVUU7j10GvDy2s65epfQ3XR7xTv7sHb+SAAVOhYmfE5RpX0+j6q2AcXe4Ldpq8:7UU7j6GjXDpEZAAVhD0+j6ve4hpq8
                                                                                                                                                                                MD5:00E641ECF71AAFBEDF54F6D948CA8B58
                                                                                                                                                                                SHA1:D235AB2E36BBD4974D6628FAAB9622A4D77F9328
                                                                                                                                                                                SHA-256:0D670F271DBC8DDD1F8ADD6C01CDAD1678E8D968A38482A09B69AF2A4E12C3C2
                                                                                                                                                                                SHA-512:AED88A9E8D1611C79F92AD19E5F6C5B0BD67BE9D9A72D62FFE7F99E8BD5FAEC98823EBCF245C88B8E14FCCDFED203532165D36D9DDAABC12303CF043C01D8E84
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFFvV..WAVEfmt ........D....X......dataRV......................4.z.1.U.&.........x...w.......e.F.N...{...$...,.....i.2.......!.~.0...,.....H.I.Q.................*.1...............U.D.....v.g.....0...........V.X.o.j.2.Z.d.1. .........(.P...[.?....................K.-............[.......+...............w...@...N...8.....i.....".....+...N...........F.......%.....N.......E.......=.................T...'.7.U.i...>.j.........!.....M.,...:.........,...Q.......H...&...a...l...............C.......a.........,...e...+...@.0./...".a.&.....1.i...%.........7.......W.....[.,.A...`...>.....V.(.....9.(.;.(...v... ./.S.....#.........P.....(...L.....F.Q.....m...~.......`.......Q.7.1...N.....g.U.....4.................F.S.#.....0.`...*...............R...:.......<...j.............$.E.W.....~...r.P.......N...,.............%.L.....@...H...p.........0..."...L.......|.....#.;...W.....j.:...G.................U.?.....].........R.1.............}.......:.........6.k...P...r.....;...............u.K... .9.....?.

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\is-1D3QI.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):102500
                                                                                                                                                                                Entropy (8bit):6.555433845117635
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:DZbfe8QjDm2KS6RZD1FKtHNXM7g4dCJulvE7+O3zTPDOcxuVyyqqLYET7GLpQM8f:DVf2h6RVSmdE0xO3Hb9uMdVLJA
                                                                                                                                                                                MD5:39A54BA919BA15551573DB2D39BA7440
                                                                                                                                                                                SHA1:E595DA7379327C5AFABCE031B75C6573D0A0206A
                                                                                                                                                                                SHA-256:F7EBAF259755C2F7DDBFE48E0D5351EDA8DC974C1C7A954D25EBE97BBF1CEF4A
                                                                                                                                                                                SHA-512:15BF3DBFC055C27AD5AEA4C34874A850A9C97AB24C12E3C2428AC9A7C683E221FF2CA7C6283493272D7B37FA541F4EBC564316186CBDEC8F5F193EA3E3B7915E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF\...WAVEfmt ........D....X......data8...r...!...........j.+...'...=...9.X.0...N...C...R.......+............./...6.l.J...f...........;.5...U.U.......t.....Z.=...B.........9...j...@.>.......1.....W.a.....C.........................1.......+.....0.............................7...4.I...........a.....f.............P...............+.V.2...p.|... ...{.....C.X.<.....N.....^.............].....N........x...........{.........3.............{.....D...{..._.).x./...;.o.Z..... ...`.<.............5.............3.......;.....$...X..X...,...j...O.?.....W...2...o.w.!...%...m.:.y...-.&...G.....................f.|.....\.|.s.....=...........;.O.......d...n...c.$...p...S...............(.............%.................^."...t.g.c.q.........r...9.........................Q.2.....?.Y...$.l...W.......*.....s.....D.....A.....B.H.U.M...|...d.N...b...........7.......'...}.d.......h.......(. .x.....L.Z.q...`...+..I...@.....T.p.z.......9...E...r.G.U.x.y.................7...Q.......#...h...........5...@...Q....._.

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\is-1MB2K.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):182060
                                                                                                                                                                                Entropy (8bit):6.567289215526673
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:HznYojw9VI12joRDa1CxhDkGA6mHMkhcHijrbfr4JWILrqEOkMZrxu2+Hcd1MFq8:HjY98a1+SeSrbf8Tl1MZv8cHMn
                                                                                                                                                                                MD5:E875FAD9206AA9A9F5D48FD9FC46EF69
                                                                                                                                                                                SHA1:D18C4C8B93A2372AF83E613BBE9E447D4D205C7F
                                                                                                                                                                                SHA-256:31DA846077E99BF11F95477B9547513D04DF8048914FA7AC8EC4087B7889C4B0
                                                                                                                                                                                SHA-512:DC4E16216D64DB7A41B357A6C181EDFDAF5ED6B0BEEB640FFFD6F5752583105C9C0CBCD411F7971FA8A7C7C7DE5A85E74AD98DB470AFD1EE4D0432CF9EC2A1D7
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF$...WAVEfmt ........D....X......data................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\is-2IM3U.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):230274
                                                                                                                                                                                Entropy (8bit):5.828753704400131
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:aNjvtDzBKXy1MzW3zioFQwGnJvCAIGLmr:azdzvDnGJ7IGqr
                                                                                                                                                                                MD5:7DFF321C9C0DFBA94C1FD67B621DD759
                                                                                                                                                                                SHA1:DA8910DF016404C38B0C77490D8DEEB15F6FEB73
                                                                                                                                                                                SHA-256:7F6C0F42AF2125813D3FD67E57D2CF885D7D6567FBF076DAF7C13321FBB46D80
                                                                                                                                                                                SHA-512:129E8BB6D545B22B552AD293101084A604E8B493A848DA9C019439F56EE073B124A53639B253E984F4835CAC2B4F907C98DAEEF2B10266E396D89EEBF60F1651
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFFz...WAVEfmt ........D....X......dataV...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\is-2OB44.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 24000 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):59894
                                                                                                                                                                                Entropy (8bit):6.838365676849903
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:UU+/iLUqeJcKYn9lgxaQDyJVv06RvWYI2SN6gQVfF:UUocOyoa93v061WYI2TF
                                                                                                                                                                                MD5:654A9C620731AE72D26D3777418FA647
                                                                                                                                                                                SHA1:B1CAB3E17046914CDB3F4D22DC3A71F747F8728E
                                                                                                                                                                                SHA-256:E6A06409A9B1AF41FC2242AB98D8B8F588B54DB7ED583C299838D135CE2A1D73
                                                                                                                                                                                SHA-512:CC7E0328249A3A08AB533153C168B707A30B0223D9AEDE1BD84AB1B33A3B5D60193120019B25BD8C18B92B454C14F653A54D31EC00F0DFF41CA60C8E020CB573
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF....WAVEfmt .........]..........data....................3.>...%...z.......[.Z.....K.....G.....N.....Z.'.....h.w.......>.!....... .................=.....:.%...e.....I.....4.....W.....................;.....5.......@.....S.#...M.E.....8...4.Y.......!.....s.<.8.R.T...k.a.a.f.^...G.......2.......[.....k.........}..........z..o.............;.]...)...............I.r...m.e.....0...".....$.'.J.h.=...L.................e.2.....N.c...S...$...q...v.[..........................i.w...d.%._.1.;...].s.N...g.....#.v.l......z.i..9.H...$.*.....D.h.s...z.............N.`...M.....8.L.I...0.. ../.}.5.R.......g.......-.I.-....[...!.........Y...A.....$.Z.....d.}..............[.....b...H.n.......p.......~...'.c.......e......m...(.\...T.a.x.9.....>.......6.I...........K.............U!..../.............b.........:.\.......w.....[..........._.........k.2.s.=...x...0.P...q...................H...v...=............2.............D.j...V.......;...3.s.....J...7.....8...................!.......H.....D.

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\is-57T01.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:Unicode text, UTF-8 text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):236849
                                                                                                                                                                                Entropy (8bit):6.003001911190803
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:ecRqlx9NFqI6FdZL52dTOgSQh1hV1A9W2u2x:ecCnd6fZL5mO41hXA9Wkx
                                                                                                                                                                                MD5:92C13373D7DBE43BDC167479274A43E2
                                                                                                                                                                                SHA1:B0A93C92A2358CD0D9E9D202B6D60B69DF9DAB0B
                                                                                                                                                                                SHA-256:BB1782D281FE60D4A2DCF41BC229ABE3E46C280212597D4ABCC25BDDF667739B
                                                                                                                                                                                SHA-512:26C6FA1AC7BCFD523F9AB9E6C2D971103CCFC610AD0DF504D4E9B064DAD74576D77240C052B808F4C37C9240302A7E973A20F79EE39AC7BF3201A6FA9F0DFA96
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:##.## Bundle of CA Root Certificates.##.## Certificate data from Mozilla as of: Tue Nov 26 13:58:25 2024 GMT.##.## Find updated versions here: https://curl.se/docs/caextract.html.##.## This is a bundle of X.509 certificates of public Certificate Authorities.## (CA). These were automatically extracted from Mozilla's root certificates.## file (certdata.txt). This file can be found in the mozilla source tree:.## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt.##.## It contains the certificates in PEM format and therefore.## can be directly used with curl / libcurl / php_curl, or with.## an Apache+mod_ssl webserver for SSL client authentication..## Just configure this file as the SSLCACertificateFile..##.## Conversion done with mk-ca-bundle.pl version 1.29..## SHA256: 36105b01631f9fc03b1eca779b44a30a1a5890b9bf8dc07ccb001a07301e01cf.##...GlobalSign Root CA.==================.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAA

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\is-CRA09.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):54890
                                                                                                                                                                                Entropy (8bit):6.922608548070075
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:k3RE1QCkFCNf8vCrzR6Rzrw7zRgxwqz5LI9jT7s:+zc8vCrYUzRb6+9v7s
                                                                                                                                                                                MD5:E83E11BFCF969E11C40BB415D3F80D2B
                                                                                                                                                                                SHA1:1D317B80265E40CCD7A31E8B2C09FB243FEBCBAF
                                                                                                                                                                                SHA-256:0EF947556E4E00E3FCDB55EBEE46A6932F08111DC7D18C5E9AED1BD7D936E667
                                                                                                                                                                                SHA-512:E220BCAEE82C9BB6FD035EEE7D5D9436765907231DF42D006EA072C2A26F526941BAE97684D4EE18AE86DA7104C2CB67D3228DD73FBA59F20AB246AF584D76EA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFFb...WAVEfmt ........D....X......data>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-.........7.....y...I.5))(..,.X....h.L.X.........P.............Q.'....#.....d.}...(..............2........(.$.....}.=........=.m..j._...}.......y...@.......T...2.......*.c...u.......1...A.)...P.....q.......8....%..,.v...,.......2.....................i.......0....[...........*.V.W...;.*.".....b.6...&...........W...].i.....V...O...9..._.}..$.u...b...............u.r.*.....d.....Y.R.....U.}...]...7.....A.........W.A...].....C.m...;.

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\is-EN6V8.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 24000 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):50454
                                                                                                                                                                                Entropy (8bit):7.132841508547479
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:XR8h/Ashig01KTPg+tZXhbLkxmXwvBy4QfSuR37v5qzQRYG/gIez:Xfs0zkjft3fkxmOI4Q6uF7v5qzeJgIez
                                                                                                                                                                                MD5:18BBD6A2A31120E65FBB59909674D339
                                                                                                                                                                                SHA1:2DE3DFC75C04B3C38538F448C13B9C6529676A3D
                                                                                                                                                                                SHA-256:2AC1CEF32CC5A514375AEF53D82B84F5BF7F5463520DA497C3DFCD41FFD0DCDA
                                                                                                                                                                                SHA-512:AE1F60E8AB60A11F1E118F3951480D167A41076ED506913CCD67EE9A6255D41AC5A1E173265E30B8954937903BD028A3147F8F69845D2D18FB21F0562E9CD7F3
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF....WAVEfmt .........]..........data........................................................................................................................................................................................................................................................................................ .......................................................................#.........................../.u...,...9.....L.........P.....M...m.......-...\.J.u...7...`...........+.....~.'....~...............B....!."Q!..M...x.N...B...e.g.........?.....{.I.P.....f...V.....].c.{.d.....T.P.......+..E..3.....#.%......V.......$"N,T1.0.*.!..k.`...7.W.&.C.".}.\...g...).............<.*.=./.....\...z.......e...........N.....-......Z..............).-_*. 7...,.Q.....................D...........|.........u.........w...}.c.....R.R...]...1.2......L.<.j.....j.f....-.e .'.&..%.....................^...!.g.............k.;.M.....&.G...D.....P.......k.....t...l.K.P......=....J.....

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\is-FBQ0I.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):524890
                                                                                                                                                                                Entropy (8bit):7.998477275593787
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:12288:tHWwVw5n/cZGaKwH3OPaLBu5dTz/QoFk3mTiJYEyRLrO0NOwbVFEL:t2wVw5n63KwHeSLBurtC1a2sDQ
                                                                                                                                                                                MD5:49DF22A8504B30AC0E66D0A8521BEFF2
                                                                                                                                                                                SHA1:2ACDA03760A6EC4D1196197CF83A61FBB8965952
                                                                                                                                                                                SHA-256:AF05178F06ECD3F8E8235DE53A91AAE011D75E6F78772B700D7C6B40D5B60479
                                                                                                                                                                                SHA-512:EAFD5C5DCE9CF45B5DDA23DF702E73F60FDF6DBD163103D17C6D96179F70327896642EE89E071E6980308F0E5E60964F056D2DF86C0F5689BD35B1D0BCC8522C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:PK.........}uY...!zF...T......bulgarian.lng.]_o.Gr.>.....D.@\E. ...c[....8...h...........'.:.....F..l'.`..+....3.(]U.3=..3.. @.......U..Uu.....7z...~..`/.{.....?.....$...e...~.../~..'~....]..}...{<.xy...?.i.l...8..x...[,`......b...=.$.A..$.....~.y...w....q.F}..wx.....o..l.w....x[.=7yS<a..l....9.&,...e...l.....d..evI....G.4p.Gn?q..{_.,.e.O8..1.p.2(.0......L.9.. .....(.x....~8.w.?.-...I.......-.O..:...]Wa.....<..E]..Fn4..X.u.z...`..^~,...Z.G..0.k.M.?..8X....t4.#X..79p.9....A..w..Q...43.#.JHuB.,@.G(...,;........-.s.?V+.)>.5,0.........?.X.*...../.6.F..j......q..ks1.,......L.z.d...N..3..V..4........U.....t......g.....9..R.;.u.. ....q..../...p..7..q}.f...p...*..<J;I.6..8.Y6..{...8.&<n.q...t<X.0.9-F.,.....Gc...;..........B.t...S.IOq...M.Gh....T`.`k...i.{..3/..4.._....yL..e.dF.ff3............7.17...Y.?.b..3.......%(..C&..{f.......h..I...C.'k..~.....AxP..M.;.`.2b....B....v.}!.n.a.'.hw\..G..7d....S.[....TD..r.1...wWlw=xp..s..[-.E....=UA.M...k.z.-..

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\is-GTR9S.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):114220
                                                                                                                                                                                Entropy (8bit):5.815286660197201
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:6ToO1ilKTJMbmAiekySMd10fQfYKs2LfjfN2IupDrOQnQ6a+wX43E5PF:6TTiEMmFekySMH03KsiQDrO1D
                                                                                                                                                                                MD5:9B9C547DA31F05167D03B9A9C4794A1E
                                                                                                                                                                                SHA1:5CB65DA494D1BE506D00CCFC523D39C1AF4BF44E
                                                                                                                                                                                SHA-256:CC8E7CED06DED913DC63F3DC48442D4B78247E98A0B1481ABAD421446E7B9725
                                                                                                                                                                                SHA-512:97A0199C1B76A1B9FC54A7DFA52197754905248921D2268D2D963EAABB3DDCA6401389B61E44278E8179532E08FC82D0F75B3EADB8D8B1026F0508709958F132
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF$...WAVEfmt ........D....X......data................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\is-LEJVI.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):67340
                                                                                                                                                                                Entropy (8bit):6.249655199455427
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:8Jcv03vs0BhTFiC7v+CZ7lISS1Q02NVfto7tZ/rGLBTLfI:8CE5jFisv+CDIfiZq7fjt
                                                                                                                                                                                MD5:C13B4139D1E32DCABDB8EEE9E699053D
                                                                                                                                                                                SHA1:2932FD23C0E67A4E63CC720E8DCC094041B1E511
                                                                                                                                                                                SHA-256:D6B7B4D6E7A38E58484FED53BDBB27C0D0097A58E6289BC5C06267C6B2C8D06A
                                                                                                                                                                                SHA-512:0F00B8A6C530F3C05089BC403C2E118D5653E17F19FB1020A2B42BE66289F62EC5E39165AB1DF55C09FFC9E39A57471EB140DBE978CB6EC918A2DEAB7EB4CB66
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF....WAVEfmt ........D....X......data......#.j...............f.J._.......#.U.......t.......,...].....7.......M.......K...*.../...w.2...J.....e.|.p.C.......L...=.......B...........Q.~...6...../.U...............W.:.`...........&.;.%.&."...c...-.Q.....Z.4...Q.(.....?.v...J.s.B.r...............q.......l.i...9.p.U.......#..4.X.=.q.H.........G.............;.......k.....'...k...............B.a.O.1.~.........Y...........t.M...h._.]...P.....O...3.....=.0.........X.....(.....p.>...s.....x...f.5.I...x...............b.......&...j.......C...........<.z.!...6.......F..._.L...........P...g.....y.4.....0...g.h.^.....;.....Y.#..C.+..............k...........v.......9.c.,...x.....E.$.....e.....e......*.........D.....p.....=.................N.j.......I...E...].=......^.t.m........*.....x...........d.*.=............. .n.....[.......U.^.I.....<.|.......&.%.....].D.....]...q.....}...........V.K.x.......#.2.....o.........u.'...L...^.Y.6.9...b.X.........................>...............^...8.......

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\is-OE1DV.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):35092
                                                                                                                                                                                Entropy (8bit):7.05611679728137
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:89J1rqJ2HjTExdYblpk7epJoAJ/Sc6CdbzCpOAXdGHb:CqJ2H/bl6NAJ6c6qlAXdub
                                                                                                                                                                                MD5:8E77A356049413423D4B090EADAC4BA9
                                                                                                                                                                                SHA1:989854EC030D81E7CBA8441DDB9DD1BF1AED7C87
                                                                                                                                                                                SHA-256:7409AC35B27BA3D05326045F43EE2346679BE37A0CDA4333BFD6BB28E5C0595D
                                                                                                                                                                                SHA-512:68DD934734A3153AB14F6C06FAB6CC84F9E4BA2D3FA19F2A651A0E83BBDD77438E472836FE762BCE1AC2904D7C8B613714878CB7FFB8360C6DAA1422E34EE00F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF....WAVEfmt ........D....X......data.....................................&.7.8...........<.&................................................. ...............................?.).........................-.2...4.s...........M...'.:...T.Q...............7...I...K.......^...j.....=.......'.........k.b...........-...@.,.U...*.....>.............t.r.>....+.....o.....l.......;.......M.+.V.............+...t.)._.x.......U...e.......:...................d.\...y.............0.(.......\.I...S.........f.S.......[...<.....r.~.Q...!.).........G...........@...S.p.......O.r......!....b...............K.............c.g...v...I.l.....P.Y...........\.....9.........w.d.4.......l.H.G.........~.\.......+.............P.............<...R.@.B...o.x...+.\.o.l.:.#.>._.O.3.......g.....C.].0.....o...!.|.........6.....G.....[.K...f...j.....m.}..... .H.......\.......f.Y.8..................(.^.(.........K.........x...A.1...8.....Q...x.6...............U.$.......].R.........,.g...L.W.............#.;...r.N.~.#.v.

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\notify.wav (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):54890
                                                                                                                                                                                Entropy (8bit):6.922608548070075
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:k3RE1QCkFCNf8vCrzR6Rzrw7zRgxwqz5LI9jT7s:+zc8vCrYUzRb6+9v7s
                                                                                                                                                                                MD5:E83E11BFCF969E11C40BB415D3F80D2B
                                                                                                                                                                                SHA1:1D317B80265E40CCD7A31E8B2C09FB243FEBCBAF
                                                                                                                                                                                SHA-256:0EF947556E4E00E3FCDB55EBEE46A6932F08111DC7D18C5E9AED1BD7D936E667
                                                                                                                                                                                SHA-512:E220BCAEE82C9BB6FD035EEE7D5D9436765907231DF42D006EA072C2A26F526941BAE97684D4EE18AE86DA7104C2CB67D3228DD73FBA59F20AB246AF584D76EA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFFb...WAVEfmt ........D....X......data>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-.........7.....y...I.5))(..,.X....h.L.X.........P.............Q.'....#.....d.}...(..............2........(.$.....}.=........=.m..j._...}.......y...@.......T...2.......*.c...u.......1...A.)...P.....q.......8....%..,.v...,.......2.....................i.......0....[...........*.V.W...;.*.".....b.6...&...........W...].i.....V...O...9..._.}..$.u...b...............u.r.*.....d.....Y.R.....U.}...]...7.....A.........W.A...].....C.m...;.

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\notify2.wav (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):114220
                                                                                                                                                                                Entropy (8bit):5.815286660197201
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:6ToO1ilKTJMbmAiekySMd10fQfYKs2LfjfN2IupDrOQnQ6a+wX43E5PF:6TTiEMmFekySMH03KsiQDrO1D
                                                                                                                                                                                MD5:9B9C547DA31F05167D03B9A9C4794A1E
                                                                                                                                                                                SHA1:5CB65DA494D1BE506D00CCFC523D39C1AF4BF44E
                                                                                                                                                                                SHA-256:CC8E7CED06DED913DC63F3DC48442D4B78247E98A0B1481ABAD421446E7B9725
                                                                                                                                                                                SHA-512:97A0199C1B76A1B9FC54A7DFA52197754905248921D2268D2D963EAABB3DDCA6401389B61E44278E8179532E08FC82D0F75B3EADB8D8B1026F0508709958F132
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF$...WAVEfmt ........D....X......data................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Resources\remind.wav (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 24000 Hz
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):59894
                                                                                                                                                                                Entropy (8bit):6.838365676849903
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:UU+/iLUqeJcKYn9lgxaQDyJVv06RvWYI2SN6gQVfF:UUocOyoa93v061WYI2TF
                                                                                                                                                                                MD5:654A9C620731AE72D26D3777418FA647
                                                                                                                                                                                SHA1:B1CAB3E17046914CDB3F4D22DC3A71F747F8728E
                                                                                                                                                                                SHA-256:E6A06409A9B1AF41FC2242AB98D8B8F588B54DB7ED583C299838D135CE2A1D73
                                                                                                                                                                                SHA-512:CC7E0328249A3A08AB533153C168B707A30B0223D9AEDE1BD84AB1B33A3B5D60193120019B25BD8C18B92B454C14F653A54D31EC00F0DFF41CA60C8E020CB573
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RIFF....WAVEfmt .........]..........data....................3.>...%...z.......[.Z.....K.....G.....N.....Z.'.....h.w.......>.!....... .................=.....:.%...e.....I.....4.....W.....................;.....5.......@.....S.#...M.E.....8...4.Y.......!.....s.<.8.R.T...k.a.a.f.^...G.......2.......[.....k.........}..........z..o.............;.]...)...............I.r...m.e.....0...".....$.'.J.h.=...L.................e.2.....N.c...S...$...q...v.[..........................i.w...d.%._.1.;...].s.N...g.....#.v.l......z.i..9.H...$.*.....D.h.s...z.............N.`...M.....8.L.I...0.. ../.}.5.R.......g.......-.I.-....[...!.........Y...A.....$.Z.....d.}..............[.....b...H.n.......p.......~...'.c.......e......m...(.\...T.a.x.9.....>.......6.I...........K.............U!..../.............b.........:.\.......w.....[..........._.........k.2.s.=...x...0.P...q...................H...v...=............2.............D.j...V.......;...3.s.....J...7.....8...................!.......H.....D.

                                                                                                                                                                                C:\Program Files\FreeFileSync\Uninstall\is-2E3MA.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3414640
                                                                                                                                                                                Entropy (8bit):6.589239930239391
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:udJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQi333qFI:AJYVM+LtVt3P/KuG2ONG9iqLRQi333q
                                                                                                                                                                                MD5:AFC70B74FF6456A1DB47AA6A5480A389
                                                                                                                                                                                SHA1:DA7D29720A817A677DCC6AD09ACE07159D1013DA
                                                                                                                                                                                SHA-256:A23438A6655F6F3AA29657497F82E841CF7B7A5E2FACC86A469F3DFBBE800CEF
                                                                                                                                                                                SHA-512:05DAC7C5379D1E89D4E5FF1F0371B00769C64ACEE01AF0AC53821D5E1A38D3515DC689D76A9ABDC55D4EE43C68555A3A4A05B270E7E396A97376186BA9A3D368
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..,........*.......*...@...........................4.......4...@......@...................P,.n.....,.j:...P0.Ll............3.p(....,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...Ll...P0..n..../.............@..@.............04......`3.............@..@................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Uninstall\unins000.dat

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:InnoSetup Log \001\357\273\277F\357\273\277r\357\273\277e\357\273\277e\357\273\277F\357\273\277i\357\273\277l\357\273\277e\357\273\277S\357\273\277y\357\273\277n\357\273\277c, version 0x418, 56033 bytes, 745481\37\user\376\, C:\Program Files\FreeFileSync\376\377\377\
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):56033
                                                                                                                                                                                Entropy (8bit):3.924180129488829
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:nKTO1VoPBjc0wTe9IlhYbFVbMQFNIbWFycrptofPy2bzD1Ti+xIA+A:0uVopjcvPYgmQ
                                                                                                                                                                                MD5:BD871CBF4CB7390D0C9107E36EBB8800
                                                                                                                                                                                SHA1:F47DAC4CE6FC529677EE6D58DCB92287A573EA81
                                                                                                                                                                                SHA-256:262AE64E21676217C0430857C9CF7DFAF470EC95EF9F4C24DF91F92CD866A83D
                                                                                                                                                                                SHA-512:5074BCD0A40F24AA2B26BC3CF28E1D9A87C0447E4346F6841D344FC70A69EA372B7AE856334C5391C4DBA3314F100F93E263496E8DEEEAAAD5F3AD581670C1AF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Inno Setup Uninstall Log (b)....................................FreeFileSync......................................................................................................................F.r.e.e.F.i.l.e.S.y.n.c...................................................................................+.......................................................................................................................E..#........i.KR......s........7.4.5.4.8.1......c.a.l.i......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c..................".... ...........U..IFPS....D........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TCONTROL....TCONTROL.............................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Uninstall\unins000.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3414640
                                                                                                                                                                                Entropy (8bit):6.589239930239391
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:udJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQi333qFI:AJYVM+LtVt3P/KuG2ONG9iqLRQi333q
                                                                                                                                                                                MD5:AFC70B74FF6456A1DB47AA6A5480A389
                                                                                                                                                                                SHA1:DA7D29720A817A677DCC6AD09ACE07159D1013DA
                                                                                                                                                                                SHA-256:A23438A6655F6F3AA29657497F82E841CF7B7A5E2FACC86A469F3DFBBE800CEF
                                                                                                                                                                                SHA-512:05DAC7C5379D1E89D4E5FF1F0371B00769C64ACEE01AF0AC53821D5E1A38D3515DC689D76A9ABDC55D4EE43C68555A3A4A05B270E7E396A97376186BA9A3D368
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..,........*.......*...@...........................4.......4...@......@...................P,.n.....,.j:...P0.Ll............3.p(....,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...Ll...P0..n..../.............@..@.............04......`3.............@..@................

                                                                                                                                                                                C:\Program Files\FreeFileSync\Uninstall\unins000.msg

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:InnoSetup messages, version 6.0.0, 261 messages (UTF-16), Cancel installation
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):24089
                                                                                                                                                                                Entropy (8bit):3.274664443443748
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:61EjNSCkf3SCqsTr6CCPanAG1GznL7VV+Iqfc51USQDztXfbKJG/pfx:61EK6CHr6f5H+7Q1USQDztB/Rx
                                                                                                                                                                                MD5:6F54066EB96F26B2BD0FCE8DA6B5F146
                                                                                                                                                                                SHA1:2A20CA3C15D82635C727FC4F7B1BABDC5E68032F
                                                                                                                                                                                SHA-256:13841813BF9AC9E34D496D865D80C6DF6A40EAF0DD6C3793CF6B53089419FDCD
                                                                                                                                                                                SHA-512:A329EE5758A8FE2D69A791B2304FB0E22AEFC5F192D3CC6B6248842C82E8D835BAA861A762B6E3F7B2EFE4AD2DDE1692924CF8193EA9A5F0DC367F4C66F89309
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Inno Setup Messages (6.0.0) (u)......................................]..3....2t.C.a.n.c.e.l. .i.n.s.t.a.l.l.a.t.i.o.n...S.e.l.e.c.t. .a.c.t.i.o.n...&.I.g.n.o.r.e. .t.h.e. .e.r.r.o.r. .a.n.d. .c.o.n.t.i.n.u.e...&.T.r.y. .a.g.a.i.n...&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.

                                                                                                                                                                                C:\Program Files\FreeFileSync\User Manual.pdf (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PDF document, version 1.4
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1184858
                                                                                                                                                                                Entropy (8bit):7.9402035905593955
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:6l7kUF9mZjMk+kbTBscPr436Igjl7F+c93ZlWuajrb7:6lTF81D+kpfT436FD9muajrb7
                                                                                                                                                                                MD5:321704EB18195DCE4C1078EADD53C688
                                                                                                                                                                                SHA1:3E68163477D347BE9822453CE42D144E0EEBA1D7
                                                                                                                                                                                SHA-256:32E221D0A3F2CE1E4963006EE95FC0FD2FB4C63CD56113C4021BDF1FBBE8C82D
                                                                                                                                                                                SHA-512:6827089989FA2C1FF1C6E6DF09329B235A507ED078B03F984BF03E14B7B742961B4133A70AF647AA58A08D5DAD49799490B66E1E7E0ADD7EA1B44557CBCE4180
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:%PDF-1.4.1 0 obj.<<./Title (...M.a.n.u.a.l. .-. .F.r.e.e.F.i.l.e.S.y.n.c)./Creator (...w.k.h.t.m.l.t.o.p.d.f. .0...1.2...6)./Producer (...Q.t. .4...8...7)./CreationDate (D:20241207103401+01'00').>>.endobj.3 0 obj.<<./Type /ExtGState./SA true./SM 0.02./ca 1.0./CA 1.0./AIS false./SMask /None>>.endobj.4 0 obj.[/Pattern /DeviceRGB].endobj.6 0 obj.<<./Type /XObject./Subtype /Image./Width 572./Height 575./BitsPerComponent 8./ColorSpace /DeviceGray./Length 7 0 R./Filter /FlateDecode.>>.stream.x..w@......J ........{=..z...b=..b...;..v...;J.D.H.....v}..H'...d~..'......73......J@.......;.9.]....nJ...............R.................."QK.D..S..k$.....J.Q...h**...3.0e........d}}..........}}..z......i$q.R.R.o.P&e....T.2c.1aP_...MLL..-,..K..077351116BEBMB5.h$Q.(1.L.U.z.eP.m*.)....chdd......ccck......}.....[9;.....XYZZX.....a......q.. I.....?..2mtu...c.3.+k[;.'g..W..m..zx...s..}.y..9z..a^.{w...S......qsm.....`ogceafbD... -b...._...............M..^......3n.).~......,.....k...y+...

                                                                                                                                                                                C:\Program Files\FreeFileSync\is-02RD3.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):52941
                                                                                                                                                                                Entropy (8bit):4.834889561469989
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:4IwnwOuD+WlljeKquwIx0i5D/e1iHdTcoPhpkYp/T/FXOx0Bpm3APzB4D:j1OuljeMr5DGwxUETy0Bpm3Al4D
                                                                                                                                                                                MD5:EE9B7FD879D57A35B5F0F575A1755F71
                                                                                                                                                                                SHA1:D3CA973EAA0EC74845E2E7851A6837AE08906E67
                                                                                                                                                                                SHA-256:ADC61454C4F9DA3C500501D33E2949EC5B0B857C57B3CF2FD172FBFF2BF76CDB
                                                                                                                                                                                SHA-512:D32DBF8B3AB9155F008F1283D4F37225E8B66A71F3E58BC1FED566EA8FC3618773DD73A677C772BE0EA4854D75264A8765EB0A3C480418A73060ED93D4B502CF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deftab709{\fonttbl{\f0\fswiss\fprq2\fcharset0 Segoe UI;}}..{\colortbl ;\red0\green0\blue255;\red0\green0\blue128;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\nowidctlpar\hyphpar0\qc\kerning1\f0\fs26\lang1031 FreeFileSync: Terms of Use\par....\pard\nowidctlpar\hyphpar0\fs22\par..The FreeFileSync standard and {{\field{\*\fldinst{HYPERLINK "https://freefilesync.org/faq.php#donation-edition" }}{\fldrslt{\ul\cf1\cf2\ul Donation\~Edition}}}}\f0\fs22 are for \b private\~use\b0 only.\par..\b\fs11\par..\fs22 Commercial use\b0 requires buying\b \b0 the {{\field{\*\fldinst{HYPERLINK "https://freefilesync.org/faq.php#business" }}{\fldrslt{\ul\cf1\cf2\ul FreeFileSync\~Business\~Edition}}}}\f0\fs22 . This also applies to government organizations.\par....\pard\nowidctlpar\hyphpar0\qc _____________________________________________________________\par....\pard\nowidctlpar\hyphpar0\par..A. GNU General Public License\par..B. wxWidgets License\par

                                                                                                                                                                                C:\Program Files\FreeFileSync\is-9HG6N.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):390256
                                                                                                                                                                                Entropy (8bit):6.134884165717768
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:B5EBllbJaaRqWCMjtIj2UpComPU8kmz7ia0oQhX:BiBllVfRqWCMYQUzeNLQh
                                                                                                                                                                                MD5:93B8B77BAE7AF0FA64E9F59F8C15351E
                                                                                                                                                                                SHA1:A01661073A1E0BB9EC697645EA2F5D36DDD66530
                                                                                                                                                                                SHA-256:F4D1BBDBB75ED4017ADCEF6295DB223D5B633B9AFD88FD016E86434EDB97A262
                                                                                                                                                                                SHA-512:FA804AA8E41647330512F00BDFA70BC6020C6CDC1AF24C2788D65CE7BD495B7007C9D4B119C9CBE571BF9089CF5843A5118690ED3956A2684403638251473D51
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$b..E...E...E...=...E...=..AE...=...E.......E.......E.......E...=...E...=...E...E.. E..l....E..l...E..l....E..Rich.E..................PE..L.....Tg...............*..........................@..........................P...........@....................................P.......................p(... ...%...d..T....................d......Xc..@............................................text...$........................... ..`.rdata..b...........................@..@.data....^...........~..............@....rsrc...............................@..@.reloc...%... ...&..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files\FreeFileSync\is-AE0J0.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PDF document, version 1.4
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1184858
                                                                                                                                                                                Entropy (8bit):7.9402035905593955
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:6l7kUF9mZjMk+kbTBscPr436Igjl7F+c93ZlWuajrb7:6lTF81D+kpfT436FD9muajrb7
                                                                                                                                                                                MD5:321704EB18195DCE4C1078EADD53C688
                                                                                                                                                                                SHA1:3E68163477D347BE9822453CE42D144E0EEBA1D7
                                                                                                                                                                                SHA-256:32E221D0A3F2CE1E4963006EE95FC0FD2FB4C63CD56113C4021BDF1FBBE8C82D
                                                                                                                                                                                SHA-512:6827089989FA2C1FF1C6E6DF09329B235A507ED078B03F984BF03E14B7B742961B4133A70AF647AA58A08D5DAD49799490B66E1E7E0ADD7EA1B44557CBCE4180
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:%PDF-1.4.1 0 obj.<<./Title (...M.a.n.u.a.l. .-. .F.r.e.e.F.i.l.e.S.y.n.c)./Creator (...w.k.h.t.m.l.t.o.p.d.f. .0...1.2...6)./Producer (...Q.t. .4...8...7)./CreationDate (D:20241207103401+01'00').>>.endobj.3 0 obj.<<./Type /ExtGState./SA true./SM 0.02./ca 1.0./CA 1.0./AIS false./SMask /None>>.endobj.4 0 obj.[/Pattern /DeviceRGB].endobj.6 0 obj.<<./Type /XObject./Subtype /Image./Width 572./Height 575./BitsPerComponent 8./ColorSpace /DeviceGray./Length 7 0 R./Filter /FlateDecode.>>.stream.x..w@......J ........{=..z...b=..b...;..v...;J.D.H.....v}..H'...d~..'......73......J@.......;.9.]....nJ...............R.................."QK.D..S..k$.....J.Q...h**...3.0e........d}}..........}}..z......i$q.R.R.o.P&e....T.2c.1aP_...MLL..-,..K..077351116BEBMB5.h$Q.(1.L.U.z.eP.m*.)....chdd......ccck......}.....[9;.....XYZZX.....a......q.. I.....?..2mtu...c.3.+k[;.'g..W..m..zx...s..}.y..9z..a^.{w...S......qsm.....`ogceafbD... -b...._...............M..^......3n.).~......,.....k...y+...

                                                                                                                                                                                C:\Program Files\FreeFileSync\is-T50S2.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):147223
                                                                                                                                                                                Entropy (8bit):4.884422991548549
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:njjdQgWoXi9Wpsy8tLd3oXU91w28OvY+KlAd7J:TTmy2oks+KAd7J
                                                                                                                                                                                MD5:6E6DBAD61ECC2B74C8150A227CD51FB5
                                                                                                                                                                                SHA1:746924D5F98F9B4428A17CE36FA02B0459E9BC09
                                                                                                                                                                                SHA-256:CF47B6710F5ADD5EB9BF4A4455507A123E17BE212D64A266ED57E1539ACB3EBB
                                                                                                                                                                                SHA-512:A95B93CB659282B978271389681C63964DD85E3E21F42C678A6932E1073D8BBB7A1269898C4CA3FB7017A8FE7496CB11B4A54F043D5C6FC1FB33F2C675C42646
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:FreeFileSync 13.9 [2024-12-07]..------------------------------..Fixed CURLE_SEND_ERROR: OpenSSL SSL_write: SSL_ERROR_SYSCALL, errno 0..Added comparison and sync context menu options for multiple folder pairs..Show file include/exclude filter directly in tooltip..Fixed file not found error when cancelling file up-/download..Fixed showing cancelled config log status after nothing to sync..Updated translation files......FreeFileSync 13.8 [2024-11-04]..------------------------------..Support raw IPv6 server address for (S)FTP..RealTimeSync: Fixed scrollbar when adding/removing folders..Don't set sync direction for partial folder pairs..Uniquely identify partial folder pairs in error message..Fixed network login prompt not showing in Windows 11 24H2......FreeFileSync 13.7 [2024-06-23]..------------------------------..Support copying symlinks between SFTP devices..Fixed input focus not being restored after comparison/sync..Fixed log file pruning not considering selected configuration..Show s

                                                                                                                                                                                C:\Program Files\FreeFileSync\is-VDC8T.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):676464
                                                                                                                                                                                Entropy (8bit):6.18963251148129
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:e+LGHv4E3fx+XjXh0vdb514ocPAwYf7krBl:e+Lov42x+X6lb51+ifwrL
                                                                                                                                                                                MD5:DD8779C4A9D2F47F3C9279F6F7786E69
                                                                                                                                                                                SHA1:6E288BE940E0035DDD3240537EDEEE3991A665A4
                                                                                                                                                                                SHA-256:919322547B2E2D19BED839B8889A204A3E34742648736E2114F565751FD32351
                                                                                                                                                                                SHA-512:4D710A8D95C7CFFC786743E0DA26D5A1B7CB4C9407EDD789EFA390BB2BA4A1CE670E98484E75BEFBBAF3367CE81B007CD3395F9B4F8ED2900FA086CEA7C995EC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........|.c/.c/.c/..`..c/..f.C.c/..`...c/..g...c/..f...c/..g...c/..e..c/..b...c/.b/..c/o.j..c/o../.c/o.a..c/Rich.c/................PE..L.....Tg...............*.D...2......c........`....@.................................A.....@..................................}...........j...........*..p(...p...1...3..T....................3......P2..@............`..T............................text...jB.......D.................. ..`.rdata...,...`.......H..............@..@.data....e...........v..............@....rsrc....j.......l..................@..@.reloc...1...p...2..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FreeFileSync.lnk

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Thu Jan 2 11:29:34 2025, mtime=Thu Jan 2 11:29:37 2025, atime=Sat Dec 7 14:38:54 2024, length=676464, window=hide
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1019
                                                                                                                                                                                Entropy (8bit):4.436566636633178
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:83SdKLlnKm6UAgtccm3uEkdA5+OdAZxB+8m:83SdKRn56jUcb3BkdA5+OdA5+8
                                                                                                                                                                                MD5:F076F26DAD541C4A34022789E4C3426C
                                                                                                                                                                                SHA1:53C6B24F52919C556E2CD64292212507A07358F0
                                                                                                                                                                                SHA-256:8DF2D1BBB64F9F3026486434825930E1B2BED54AD1E24DE373838733D27D9CB8
                                                                                                                                                                                SHA-512:664DDAB0423CF0E4B8CE97B4F21920C97F3D41392A7C74CB36BDD4F4DFD6D00C37C1164AAAE9FFEC11349E22B3A302D10BC86E5E51384A1DE32A895197A47451
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:L..................F.... ....g ..].......].......H..pR...........................P.O. .:i.....+00.../C:\.....................1....."Z.c..PROGRA~1..t......O.I"Z.c....B...............J.....k...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....b.1....."Z.c..FREEFI~1..J......"Z.c"Z.c..........................1..F.r.e.e.F.i.l.e.S.y.n.c.....n.2.pR...Y.| .FREEFI~1.EXE..R......"Z.c"Z.c..............................F.r.e.e.F.i.l.e.S.y.n.c...e.x.e.......]...............-.......\...........U........C:\Program Files\FreeFileSync\FreeFileSync.exe..4.F.r.e.e.F.i.l.e.S.y.n.c. .. .F.o.l.d.e.r. .C.o.m.p.a.r.i.s.o.n. .a.n.d. .S.y.n.c.h.r.o.n.i.s.a.t.i.o.n.:.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.\.F.r.e.e.F.i.l.e.S.y.n.c...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.`.......X.......745481...........hT..CrF.f4... .H.............%..hT..CrF.f4... .H.............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM.

                                                                                                                                                                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealTimeSync.lnk

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Thu Jan 2 11:29:34 2025, mtime=Thu Jan 2 11:29:37 2025, atime=Sat Dec 7 14:38:48 2024, length=390256, window=hide
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):995
                                                                                                                                                                                Entropy (8bit):4.509819377736112
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:8WdKLlVKIUUAgtET6whkdAKe9MdAZxbQ8m:8WdKRVpUjUET6whkdAKUMdATQ8
                                                                                                                                                                                MD5:944EE3F2CFB9485A884BA7C2F52F12D7
                                                                                                                                                                                SHA1:A03783101A7D7106F6040A3952861FAF2629029A
                                                                                                                                                                                SHA-256:D9E314EA75870FE11F74E632F14154921E468B56967BAADBE7BC7177C169FCE3
                                                                                                                                                                                SHA-512:8A762B129D29214F513B0E134D89220C82FA91CCC136019ED9EBF9E7F7AE73F88EE148EE9C7CD4373A5A7332126791DEB0D0EAE0419BCB3C3042329A3683D8CE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:L..................F.... ...jE'..]..Bt...]...4...H..p............................P.O. .:i.....+00.../C:\.....................1....."Z.c..PROGRA~1..t......O.I"Z.c....B...............J.....k...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....b.1....."Z.c..FREEFI~1..J......"Z.c"Z.c..........................1..F.r.e.e.F.i.l.e.S.y.n.c.....n.2.p....Y.| .REALTI~1.EXE..R......"Z.c"Z.c.............................R.e.a.l.T.i.m.e.S.y.n.c...e.x.e.......]...............-.......\...........U........C:\Program Files\FreeFileSync\RealTimeSync.exe..(.R.e.a.l.T.i.m.e.S.y.n.c. .. .A.u.t.o.m.a.t.e.d. .S.y.n.c.h.r.o.n.i.s.a.t.i.o.n.:.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.\.R.e.a.l.T.i.m.e.S.y.n.c...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.`.......X.......745481...........hT..CrF.f4... .J.............%..hT..CrF.f4... .J.............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                C:\Users\Public\Desktop\FreeFileSync.lnk

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Thu Jan 2 11:29:34 2025, mtime=Thu Jan 2 11:29:34 2025, atime=Sat Dec 7 14:38:54 2024, length=676464, window=hide
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1007
                                                                                                                                                                                Entropy (8bit):4.450379709009664
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:8z3gdKRnKm6UAgtccm3uEtodA5+OdAZxB+8m:8z3gdKRn56jUcb3BtodA5+OdA5+8
                                                                                                                                                                                MD5:6A3A085CDDF91B37067328EE8D655B9A
                                                                                                                                                                                SHA1:AE3AB3B19CFF789E4E9AFA8091B1161640E874DB
                                                                                                                                                                                SHA-256:D7C992370328F1FC2A986D90790AA36778788CCA603508E3BBA53A5036B21DBC
                                                                                                                                                                                SHA-512:D220B44243A182D74D3C3E0E6C4E496A703A54B8837BF3A4CA24B3C7B5F0C6F06993EA6C1660D5F1BFC5CCE788810167621C4D278F1F713089274E117C213EB7
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:L..................F.... ....g ..]..Y8$..].......H..pR...........................P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I"Z.c....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....b.1....."Z.c..FREEFI~1..J......"Z.c"Z.c.........................0..F.r.e.e.F.i.l.e.S.y.n.c.....n.2.pR...Y.| .FREEFI~1.EXE..R......"Z.c"Z.c..............................F.r.e.e.F.i.l.e.S.y.n.c...e.x.e.......]...............-.......\...........U........C:\Program Files\FreeFileSync\FreeFileSync.exe..4.F.r.e.e.F.i.l.e.S.y.n.c. .. .F.o.l.d.e.r. .C.o.m.p.a.r.i.s.o.n. .a.n.d. .S.y.n.c.h.r.o.n.i.s.a.t.i.o.n.4.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.\.F.r.e.e.F.i.l.e.S.y.n.c...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.`.......X.......745481...........hT..CrF.f4... .H.............%..hT..CrF.f4... .H.............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?.........

                                                                                                                                                                                C:\Users\Public\Desktop\RealTimeSync.lnk

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Thu Jan 2 11:29:34 2025, mtime=Thu Jan 2 11:29:34 2025, atime=Sat Dec 7 14:38:48 2024, length=390256, window=hide
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):983
                                                                                                                                                                                Entropy (8bit):4.5185716295339695
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:8MXdKLlVKIUUAgtET6whtodAKe9MdAZxbQ8m:8MXdKRVpUjUET6whtodAKUMdATQ8
                                                                                                                                                                                MD5:973968C43B281934E8BD7E291D76FD70
                                                                                                                                                                                SHA1:F0E4AE3F309DC65981540C61B6053EE7D7477E38
                                                                                                                                                                                SHA-256:657BB0F3801504F7CC9A967FF7DD7C895F723C788CD4C3BA308D08682CE804DC
                                                                                                                                                                                SHA-512:3A94040A75945B7B7DABE7542E5DF41AA7B67B7FFAD3085CEFB65682F792D03240E0A1B62F2FE5804E9450E722599EADC1B8E9789F4E6BCA7CE7EC4BAD399510
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:L..................F.... ...jE'..]....(..]...4...H..p............................P.O. .:i.....+00.../C:\.....................1....."Z.c..PROGRA~1..t......O.I"Z.c....B...............J.....k...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....b.1....."Z.c..FREEFI~1..J......"Z.c"Z.c..........................1..F.r.e.e.F.i.l.e.S.y.n.c.....n.2.p....Y.| .REALTI~1.EXE..R......"Z.c"Z.c.............................R.e.a.l.T.i.m.e.S.y.n.c...e.x.e.......]...............-.......\...........U........C:\Program Files\FreeFileSync\RealTimeSync.exe..(.R.e.a.l.T.i.m.e.S.y.n.c. .. .A.u.t.o.m.a.t.e.d. .S.y.n.c.h.r.o.n.i.s.a.t.i.o.n.4.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.\.R.e.a.l.T.i.m.e.S.y.n.c...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.`.......X.......745481...........hT..CrF.f4... .J.............%..hT..CrF.f4... .J.............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:modified
                                                                                                                                                                                Size (bytes):20948
                                                                                                                                                                                Entropy (8bit):5.612745198895773
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:VKz3G+Vz0EdhKwZyBHs+XJC71veFWgTjQG6WQwVVj/DCPfoGhoGen:gJXByy+XUFeD6vyN/8fHhoGo
                                                                                                                                                                                MD5:BB07987007C75A295CF5D7D521C98B4D
                                                                                                                                                                                SHA1:7FC1A2280D8BAFFA11D46E5A0E647436CC7356CE
                                                                                                                                                                                SHA-256:80891F58F963818614B016FDF9CDFF0C444DF5715EB2F3F632FAB3A9E2870056
                                                                                                                                                                                SHA-512:F0D24BE8C79C2249013A8213CD0802725C6A504FC579499299DA98698DB8A6C6C6DB46FC324CE2A87F6192FE50E0F2A865D81F75F80A14724C3B37AADC3FA3C2
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:@...e..........................._...).c..............@..........H...............o..b~.D.poM...L..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....6.......System.Management.Automation4...............<."..Ke@...j..........System.Core.0.................Vn.F..kLsw..........System..4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.|.....#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4..................~..2K..}...0".......System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4awk44go.xuk.ps1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3so0q5u.qzt.ps1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmfvctd4.hu1.psm1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlh1ifxh.51f.psm1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exe

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):676464
                                                                                                                                                                                Entropy (8bit):6.18963251148129
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:e+LGHv4E3fx+XjXh0vdb514ocPAwYf7krBl:e+Lov42x+X6lb51+ifwrL
                                                                                                                                                                                MD5:DD8779C4A9D2F47F3C9279F6F7786E69
                                                                                                                                                                                SHA1:6E288BE940E0035DDD3240537EDEEE3991A665A4
                                                                                                                                                                                SHA-256:919322547B2E2D19BED839B8889A204A3E34742648736E2114F565751FD32351
                                                                                                                                                                                SHA-512:4D710A8D95C7CFFC786743E0DA26D5A1B7CB4C9407EDD789EFA390BB2BA4A1CE670E98484E75BEFBBAF3367CE81B007CD3395F9B4F8ED2900FA086CEA7C995EC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........|.c/.c/.c/..`..c/..f.C.c/..`...c/..g...c/..f...c/..g...c/..e..c/..b...c/.b/..c/o.j..c/o../.c/o.a..c/Rich.c/................PE..L.....Tg...............*.D...2......c........`....@.................................A.....@..................................}...........j...........*..p(...p...1...3..T....................3......P2..@............`..T............................text...jB.......D.................. ..`.rdata...,...`.......H..............@..@.data....e...........v..............@....rsrc....j.......l..................@..@.reloc...1...p...2..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-11B86.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6144
                                                                                                                                                                                Entropy (8bit):4.720366600008286
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-11B86.tmp\img_50.bmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exe
                                                                                                                                                                                File Type:PC bitmap, Windows 3.x format, 640 x 338 x 24, resolution 11811 x 11811 px/m, cbSize 649014, bits offset 54
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):649014
                                                                                                                                                                                Entropy (8bit):7.631929139691051
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:Tp9pEbGDfpGOSUvwOya4azKgW4YuVQF4TCZ9jdeeMVTWOlvccSBL2rdU9OHMlZtD:Tp9p+GDBG1lOyk1IPjz4Kgkc7dpslZtD
                                                                                                                                                                                MD5:807C6272B698CF9CD24217197A244583
                                                                                                                                                                                SHA1:8923E7930BC080D247E7BEC9897F55205FF9733E
                                                                                                                                                                                SHA-256:C3EB1B52D848646D5B828E60A8A2D659AAB19407DCA9BFC64D5CE1CA985C52C3
                                                                                                                                                                                SHA-512:2857C8159FAD66F6BCDD85D956C933D738270862B1DF65618E72339624024593CA1BDCB46AEF3CC25914ED28039EB8491160584F988FA993CE3DE140DCB3322D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:BM6.......6...(.......R...............#...#............`.b..ZvkMMZD/N99L7]VB.lR..e.i.f.l.k.e.f.i.l.o.p.o.l.k.j.n.y......................q.~e.t].ua.v.~k.yd.u`.t_.t_.q_.n\.l].jY.bRa[HOUB3F5(D12F3JJ2pX<.bE.jK.uT.zW.~\..i.p.r.z...z.}..{.l..e.~c.e.g.xZ.nQ.hJ.^AdV:HL3+C1.A-.D29N?QXIc^O.dU.k[.m_.o`.o^.oZ.oX.s[.zc..j.u..k..v........................r.k.n.o.l.l.k.g.`..\.\.a.g..a..^..g.wVbWC;B3"5&5H9bcI.zV..[._.Y.^.W.S.Q.yQ.{Z.[.^..`.].`..d.|\.sW.iR.bN.iU.zb.h.j.p.u.|..z.g.sV.rX.i.............a.wB~`@mSklX.o^.wf.y..............s.uZ~]<.8..6..4..A%$T<E_MHp^C}dIy]eqU..W.j?.f>.~X..^..].vXg\NudhZRc@R]2SL:`J=kU.lZ4JOJ&6X#0.TTifQ.U*.X0.V8?\;*lC.rB.r>.~I..P..Q..T..V..U..R..O.{J.rB.j<.d9.a9.]5.\4.^7._8.]6.X1.T-.T-.Z0.[/.]0.c4.g9.i:.k<.n>.m=.qA.sC.uD.{I..O..Q..Q..S..^".p@..X..V..H..#.i..S..M..L..L..Q..R..U..W..Y..\..\..[..[..W..U..R..T..W..[..\..]..`..d..f".g*.j/.l1.n7.rA.wH.zK.}N..N.}W..[..\..a..a..h..t..}...........o..9`KV.i...Fki2

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-11B86.tmp\img_50.jpg

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, progressive, precision 8, 640x338, components 3
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):76482
                                                                                                                                                                                Entropy (8bit):7.989908479124603
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:OE+VAMh0dSrdOpCNiEUE/oLMkjuwGq8xMV8SpdwHH7+v9a7ZT4qW:NO0ArIHELkjuU6MrLwHMs9RW
                                                                                                                                                                                MD5:5B7EC8519C145BFA8F3D8A8326D53364
                                                                                                                                                                                SHA1:F9AB9AB0049256C8537221A461C538D3A50A5ADE
                                                                                                                                                                                SHA-256:449EB4A1EA3211A67AF1BCD292AF9B3FAB6F964920F64E71DF254020ED7557C6
                                                                                                                                                                                SHA-512:9DDF25A698F5A2E46A6BB917ECBE6BBC50FDBD1881F7A65CE41561E63A2DEFB1738912D14621D569AF61BF137877A212BD5F288DD02A657F5504982C640AEA17
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......JFIF.....,.,.....C....................................................................C.......................................................................R........................................................................................z&~.7z..^f...f+5..U.*.Vn.u.z.c).....3.>z^.n..$.....c.w.........#....D.0'...C..u...\`J..K1...87._u.>.QK.W............(].2G-)iH.QWPO.\...N..G9s*.V_.>.zB..R..T..Cvg........T..Q.f...X3~..$.IKv..s...q....@$..5.x..!K..}nn...|.(n.ytS~...!.J.vv.......I\..*.*-.;.T.7UH....cy......K..l..Gu..3....~.....".O~.-.K..0.\+.S."u..:C!..tp..YW"O.a.{....Kr.....s.^F}....R...p.=.gm\.\Ys...J...P..QM..^..f:.\.UvN.w.e.....k.&..$..D..$...]_nL..N...e.....'Rd..].T.7.[%....0U..o..i.).W.T...T.7W........&7..h.NU.I.oq....S..2t'.a.&.U..j.^.-^..wY.:......b..I...H..0.Q.:R.].:.#s._bch..T..j.Wn...d.GH.e..+J.qz.8..........F)*<...3.:.Xk.aU.Vu..*.>e.*...1...z..Q.BKc...............4~YO..r.......`a>t.p..H.L....C."<.. .K.D.BN...*M.....H..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3414640
                                                                                                                                                                                Entropy (8bit):6.589239930239391
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:udJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQi333qFI:AJYVM+LtVt3P/KuG2ONG9iqLRQi333q
                                                                                                                                                                                MD5:AFC70B74FF6456A1DB47AA6A5480A389
                                                                                                                                                                                SHA1:DA7D29720A817A677DCC6AD09ACE07159D1013DA
                                                                                                                                                                                SHA-256:A23438A6655F6F3AA29657497F82E841CF7B7A5E2FACC86A469F3DFBBE800CEF
                                                                                                                                                                                SHA-512:05DAC7C5379D1E89D4E5FF1F0371B00769C64ACEE01AF0AC53821D5E1A38D3515DC689D76A9ABDC55D4EE43C68555A3A4A05B270E7E396A97376186BA9A3D368
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..,........*.......*...@...........................4.......4...@......@...................P,.n.....,.j:...P0.Ll............3.p(....,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...Ll...P0..n..../.............@..@.............04......`3.............@..@................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3414640
                                                                                                                                                                                Entropy (8bit):6.589239930239391
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:udJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQi333qFI:AJYVM+LtVt3P/KuG2ONG9iqLRQi333q
                                                                                                                                                                                MD5:AFC70B74FF6456A1DB47AA6A5480A389
                                                                                                                                                                                SHA1:DA7D29720A817A677DCC6AD09ACE07159D1013DA
                                                                                                                                                                                SHA-256:A23438A6655F6F3AA29657497F82E841CF7B7A5E2FACC86A469F3DFBBE800CEF
                                                                                                                                                                                SHA-512:05DAC7C5379D1E89D4E5FF1F0371B00769C64ACEE01AF0AC53821D5E1A38D3515DC689D76A9ABDC55D4EE43C68555A3A4A05B270E7E396A97376186BA9A3D368
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..,........*.......*...@...........................4.......4...@......@...................P,.n.....,.j:...P0.Ll............3.p(....,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...Ll...P0..n..../.............@..@.............04......`3.............@..@................

                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\FreeFileSync.lnk

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Thu Jan 2 11:29:34 2025, mtime=Thu Jan 2 11:29:37 2025, atime=Sat Dec 7 14:38:54 2024, length=676464, window=hide
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1049
                                                                                                                                                                                Entropy (8bit):4.414906592731582
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:8QSdKLlnKm6UAgtccm3uEudA5+OdAnxB+8m:8QSdKRn56jUcb3BudA5+OdA/+8
                                                                                                                                                                                MD5:9D9E7C6CD9772273BF754856360C20BA
                                                                                                                                                                                SHA1:3138A31B723A61CA40A18B914FDA41769099B5F0
                                                                                                                                                                                SHA-256:65C3D1FF5286EDCF8B396ACD139FD23965803400D255ADFC7F4DC899A93B7C7C
                                                                                                                                                                                SHA-512:3F99A10B8B7D0166A56A4760F2A879CAC058B2C108AF59CCAE3C23DE27F74DD862EDF18CF27BD24BCDE66C12B10FDB0553A2201F9FECDE6D924BDC19579CD70B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:L..................F.... ....g ..].......].......H..pR...........................P.O. .:i.....+00.../C:\.....................1....."Z.c..PROGRA~1..t......O.I"Z.c....B...............J.....k...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....b.1....."Z.c..FREEFI~1..J......"Z.c"Z.c..........................1..F.r.e.e.F.i.l.e.S.y.n.c.....n.2.pR...Y.| .FREEFI~1.EXE..R......"Z.c"Z.c..............................F.r.e.e.F.i.l.e.S.y.n.c...e.x.e.......]...............-.......\...........U........C:\Program Files\FreeFileSync\FreeFileSync.exe..4.F.r.e.e.F.i.l.e.S.y.n.c. .. .F.o.l.d.e.r. .C.o.m.p.a.r.i.s.o.n. .a.n.d. .S.y.n.c.h.r.o.n.i.s.a.t.i.o.n.@.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c.\.F.r.e.e.F.i.l.e.S.y.n.c...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.r.e.e.F.i.l.e.S.y.n.c...-.S.e.n.d.T.o. .`.......X.......745481...........hT..CrF.f4... .H.............%..hT..CrF.f4... .H.............%.E.......9...1SPS..mD..pH

                                                                                                                                                                                Static File Info

                                                                                                                                                                                General

                                                                                                                                                                                File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                Entropy (8bit):7.999991446350162
                                                                                                                                                                                TrID:
                                                                                                                                                                                • ZIP compressed archive (8000/1) 100.00%
                                                                                                                                                                                File name:MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip
                                                                                                                                                                                File size:20'159'091 bytes
                                                                                                                                                                                MD5:040e4e96b3c71169e5706b579862bb8c
                                                                                                                                                                                SHA1:f9da50db010b8704a5246d42d2cd1e898a244b3f
                                                                                                                                                                                SHA256:03691405dc49eed57372ef1877d246c3464453aa26ed49966cae495bb5fb95dd
                                                                                                                                                                                SHA512:526d650f6444b6f03fde557879c2a860acf61159763a0d2bc019b21c69c1412d85b2858713532669b0f1b1415011c190aa91ff3b49d2e3e3028bc727c23f8c14
                                                                                                                                                                                SSDEEP:393216:pq2Kbit+X0V+++W+ibqcpc9dewoRy4suC/O0ZIfblBrDfpc6fn1v70Ry:82KsotZ+qcpc9d14S/O8ULDfC6KRy
                                                                                                                                                                                TLSH:3E1733934920B26608090D86B5A51B0B8E7B7BDF6337CF10283589E315DD75BBF879AC
                                                                                                                                                                                File Content Preview:PK........A_"Z...n..3...;.#.$.FreeFileSync_13.9_Windows_Setup.exe.. ..............].......].......]..*.,.......lY...U-]..s..Ur..[v...>-_N3.;../a.e...`.}.U..-.j.........."5,].........|.3Y...2eq..!...tH.Y...#.....GM<...s.>~..1-Dlh.#IoTa...m..c.u.8:....]1.9l

                                                                                                                                                                                File Icon

                                                                                                                                                                                Icon Hash:1c1c1e4e4ececedc

                                                                                                                                                                                Network Behavior

                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                2025-01-02T13:29:46.203409+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.1649708104.21.2.160443TCP

                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                TCP Packets

                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                Jan 2, 2025 13:29:45.722407103 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                                                Jan 2, 2025 13:29:45.722429037 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                                                Jan 2, 2025 13:29:45.722598076 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                                                Jan 2, 2025 13:29:45.723912001 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                                                Jan 2, 2025 13:29:45.723926067 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                                                Jan 2, 2025 13:29:46.203329086 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                                                Jan 2, 2025 13:29:46.203408957 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                                                Jan 2, 2025 13:29:46.205969095 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                                                Jan 2, 2025 13:29:46.205976009 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                                                Jan 2, 2025 13:29:46.206362009 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                                                Jan 2, 2025 13:29:46.245939970 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                                                Jan 2, 2025 13:29:46.245963097 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                                                Jan 2, 2025 13:29:46.246025085 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                                                Jan 2, 2025 13:29:46.423671961 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                                                Jan 2, 2025 13:29:46.423780918 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                                                Jan 2, 2025 13:29:46.423839092 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                                                Jan 2, 2025 13:29:46.424231052 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                                                Jan 2, 2025 13:29:46.424240112 CET44349708104.21.2.160192.168.2.16
                                                                                                                                                                                Jan 2, 2025 13:29:46.424251080 CET49708443192.168.2.16104.21.2.160
                                                                                                                                                                                Jan 2, 2025 13:29:46.424253941 CET44349708104.21.2.160192.168.2.16

                                                                                                                                                                                UDP Packets

                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                Jan 2, 2025 13:29:45.706348896 CET5917053192.168.2.161.1.1.1
                                                                                                                                                                                Jan 2, 2025 13:29:45.715683937 CET53591701.1.1.1192.168.2.16

                                                                                                                                                                                DNS Queries

                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                Jan 2, 2025 13:29:45.706348896 CET192.168.2.161.1.1.10xd06Standard query (0)api.freefilesync.orgA (IP address)IN (0x0001)false

                                                                                                                                                                                DNS Answers

                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                Jan 2, 2025 13:29:45.715683937 CET1.1.1.1192.168.2.160xd06No error (0)api.freefilesync.org104.21.2.160A (IP address)IN (0x0001)false
                                                                                                                                                                                Jan 2, 2025 13:29:45.715683937 CET1.1.1.1192.168.2.160xd06No error (0)api.freefilesync.org172.67.129.95A (IP address)IN (0x0001)false

                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                • api.freefilesync.org

                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                0192.168.2.1649708104.21.2.1604436220C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                2025-01-02 12:29:46 UTC212OUTPOST /new_installation HTTP/1.1
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
                                                                                                                                                                                Accept: */*
                                                                                                                                                                                User-Agent: FFS-Installer
                                                                                                                                                                                Content-Length: 180
                                                                                                                                                                                Host: api.freefilesync.org
                                                                                                                                                                                2025-01-02 12:29:46 UTC180OUTData Raw: 66 66 73 5f 76 65 72 73 69 6f 6e 3d 31 33 2e 39 26 6f 73 5f 6e 61 6d 65 3d 57 69 6e 64 6f 77 73 26 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 5f 74 79 70 65 3d 4c 6f 63 61 6c 26 6f 73 5f 76 65 72 73 69 6f 6e 3d 31 30 2e 30 26 6f 73 5f 61 72 63 68 3d 36 34 26 6c 61 6e 67 75 61 67 65 3d 65 6e 26 63 6f 75 6e 74 72 79 3d 43 48 26 69 6e 73 74 61 6c 6c 65 72 5f 74 79 70 65 3d 41 64 2d 46 72 65 65 26 69 6e 73 74 61 6c 6c 65 72 5f 63 6f 6d 70 69 6c 65 72 3d 49 6e 6e 6f 26 73 74 61 74 75 73 3d 43 6f 6d 70 6c 65 74 65 64 26 73 69 6c 65 6e 74 3d 4e 6f
                                                                                                                                                                                Data Ascii: ffs_version=13.9&os_name=Windows&installation_type=Local&os_version=10.0&os_arch=64&language=en&country=CH&installer_type=Ad-Free&installer_compiler=Inno&status=Completed&silent=No
                                                                                                                                                                                2025-01-02 12:29:46 UTC1104INHTTP/1.1 200 OK
                                                                                                                                                                                Date: Thu, 02 Jan 2025 12:29:46 GMT
                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                Connection: close
                                                                                                                                                                                x-robots-tag: noindex
                                                                                                                                                                                x-content-type-options: nosniff
                                                                                                                                                                                vary: User-Agent
                                                                                                                                                                                Cache-Control: max-age=3600, public
                                                                                                                                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                referrer-policy: no-referrer-when-downgrade
                                                                                                                                                                                x-frame-options: DENY
                                                                                                                                                                                content-security-policy: frame-ancestors 'none';
                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JaCByxIp3ECN77Nf0kOHw%2Bi7ZB45f0IibyiYbUkZVqcpO7oMelYLOyRYjlLau03RYq2jGdKv0%2BWHGETKKj4v3y%2Bv%2FFWOnEIcyMV%2BMy75h8T9e0ecBkvbo8w2HjsSsYxM85jOlfJqnA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                CF-RAY: 8fbac1ac58cc4307-EWR
                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=5042&min_rtt=4366&rtt_var=2989&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1028&delivery_rate=298690&cwnd=237&unsent_bytes=0&cid=80b90dbca00e6dfd&ts=238&x=0"
                                                                                                                                                                                2025-01-02 12:29:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                Statistics

                                                                                                                                                                                CPU Usage

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                Memory Usage

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                Behavior

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                System Behavior

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:0
                                                                                                                                                                                Start time:07:29:16
                                                                                                                                                                                Start date:02/01/2025
                                                                                                                                                                                Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                                                Imagebase:0x7ff732920000
                                                                                                                                                                                File size:71'680 bytes
                                                                                                                                                                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:3
                                                                                                                                                                                Start time:07:29:23
                                                                                                                                                                                Start date:02/01/2025
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe"
                                                                                                                                                                                Imagebase:0x600000
                                                                                                                                                                                File size:20'692'472 bytes
                                                                                                                                                                                MD5 hash:954CEE0E02BAC777F4DB7A05EE8BDA65
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:4
                                                                                                                                                                                Start time:07:29:24
                                                                                                                                                                                Start date:02/01/2025
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-VOM2R.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$402CA,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe"
                                                                                                                                                                                Imagebase:0x660000
                                                                                                                                                                                File size:3'414'640 bytes
                                                                                                                                                                                MD5 hash:AFC70B74FF6456A1DB47AA6A5480A389
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:7
                                                                                                                                                                                Start time:07:29:24
                                                                                                                                                                                Start date:02/01/2025
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$40290 /NOTIFYWND=$402CA
                                                                                                                                                                                Imagebase:0x600000
                                                                                                                                                                                File size:20'692'472 bytes
                                                                                                                                                                                MD5 hash:954CEE0E02BAC777F4DB7A05EE8BDA65
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:9
                                                                                                                                                                                Start time:07:29:25
                                                                                                                                                                                Start date:02/01/2025
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-PU3LU.tmp\FreeFileSync_13.9_Windows_Setup.tmp" /SL5="$A0190,19508176,913920,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip\FreeFileSync_13.9_Windows_Setup.exe" /SPAWNWND=$40290 /NOTIFYWND=$402CA
                                                                                                                                                                                Imagebase:0x20000
                                                                                                                                                                                File size:3'414'640 bytes
                                                                                                                                                                                MD5 hash:AFC70B74FF6456A1DB47AA6A5480A389
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:10
                                                                                                                                                                                Start time:07:29:25
                                                                                                                                                                                Start date:02/01/2025
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-11B86.tmp\FreeFileSync.exe" ffs_setup_convert_jpg_to_bmp "C:\Users\user\AppData\Local\Temp\is-11B86.tmp\img_50.jpg"
                                                                                                                                                                                Imagebase:0x9e0000
                                                                                                                                                                                File size:676'464 bytes
                                                                                                                                                                                MD5 hash:DD8779C4A9D2F47F3C9279F6F7786E69
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:16
                                                                                                                                                                                Start time:07:29:37
                                                                                                                                                                                Start date:02/01/2025
                                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess 'C:\Program Files\FreeFileSync\Bin\*'"
                                                                                                                                                                                Imagebase:0x930000
                                                                                                                                                                                File size:433'152 bytes
                                                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:17
                                                                                                                                                                                Start time:07:29:37
                                                                                                                                                                                Start date:02/01/2025
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff6684c0000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:18
                                                                                                                                                                                Start time:07:29:37
                                                                                                                                                                                Start date:02/01/2025
                                                                                                                                                                                Path:C:\Program Files\FreeFileSync\FreeFileSync.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Program Files\FreeFileSync\FreeFileSync.exe" ffs_setup_finalize
                                                                                                                                                                                Imagebase:0xf0000
                                                                                                                                                                                File size:676'464 bytes
                                                                                                                                                                                MD5 hash:DD8779C4A9D2F47F3C9279F6F7786E69
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:19
                                                                                                                                                                                Start time:07:29:37
                                                                                                                                                                                Start date:02/01/2025
                                                                                                                                                                                Path:C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Program Files\FreeFileSync\Bin\FreeFileSync_x64.exe" ffs_setup_finalize
                                                                                                                                                                                Imagebase:0x7ff7f3fb0000
                                                                                                                                                                                File size:17'732'208 bytes
                                                                                                                                                                                MD5 hash:9C31F370631A40917DF397F40C0772DB
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:21
                                                                                                                                                                                Start time:07:29:39
                                                                                                                                                                                Start date:02/01/2025
                                                                                                                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                Imagebase:0x7ff6899f0000
                                                                                                                                                                                File size:496'640 bytes
                                                                                                                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                Disassembly

                                                                                                                                                                                No disassembly